Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 03:08
Static task
static1
Behavioral task
behavioral1
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win10v2004-20240508-en
General
-
Target
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF8A0.tmp be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Executes dropped EXE 4 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2524 !WannaDecryptor!.exe 2736 !WannaDecryptor!.exe 2452 !WannaDecryptor!.exe 2444 !WannaDecryptor!.exe -
Loads dropped DLL 9 IoCs
Processes:
cscript.exebe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.exepid process 2916 cscript.exe 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 1048 cmd.exe 1048 cmd.exe 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe\" /r" be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2708 vssadmin.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 664 taskkill.exe 2996 taskkill.exe 2012 taskkill.exe 1992 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
!WannaDecryptor!.exepid process 2444 !WannaDecryptor!.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 2996 taskkill.exe Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 664 taskkill.exe Token: SeBackupPrivilege 2080 vssvc.exe Token: SeRestorePrivilege 2080 vssvc.exe Token: SeAuditPrivilege 2080 vssvc.exe Token: SeIncreaseQuotaPrivilege 1648 WMIC.exe Token: SeSecurityPrivilege 1648 WMIC.exe Token: SeTakeOwnershipPrivilege 1648 WMIC.exe Token: SeLoadDriverPrivilege 1648 WMIC.exe Token: SeSystemProfilePrivilege 1648 WMIC.exe Token: SeSystemtimePrivilege 1648 WMIC.exe Token: SeProfSingleProcessPrivilege 1648 WMIC.exe Token: SeIncBasePriorityPrivilege 1648 WMIC.exe Token: SeCreatePagefilePrivilege 1648 WMIC.exe Token: SeBackupPrivilege 1648 WMIC.exe Token: SeRestorePrivilege 1648 WMIC.exe Token: SeShutdownPrivilege 1648 WMIC.exe Token: SeDebugPrivilege 1648 WMIC.exe Token: SeSystemEnvironmentPrivilege 1648 WMIC.exe Token: SeRemoteShutdownPrivilege 1648 WMIC.exe Token: SeUndockPrivilege 1648 WMIC.exe Token: SeManageVolumePrivilege 1648 WMIC.exe Token: 33 1648 WMIC.exe Token: 34 1648 WMIC.exe Token: 35 1648 WMIC.exe Token: SeIncreaseQuotaPrivilege 1648 WMIC.exe Token: SeSecurityPrivilege 1648 WMIC.exe Token: SeTakeOwnershipPrivilege 1648 WMIC.exe Token: SeLoadDriverPrivilege 1648 WMIC.exe Token: SeSystemProfilePrivilege 1648 WMIC.exe Token: SeSystemtimePrivilege 1648 WMIC.exe Token: SeProfSingleProcessPrivilege 1648 WMIC.exe Token: SeIncBasePriorityPrivilege 1648 WMIC.exe Token: SeCreatePagefilePrivilege 1648 WMIC.exe Token: SeBackupPrivilege 1648 WMIC.exe Token: SeRestorePrivilege 1648 WMIC.exe Token: SeShutdownPrivilege 1648 WMIC.exe Token: SeDebugPrivilege 1648 WMIC.exe Token: SeSystemEnvironmentPrivilege 1648 WMIC.exe Token: SeRemoteShutdownPrivilege 1648 WMIC.exe Token: SeUndockPrivilege 1648 WMIC.exe Token: SeManageVolumePrivilege 1648 WMIC.exe Token: 33 1648 WMIC.exe Token: 34 1648 WMIC.exe Token: 35 1648 WMIC.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2524 !WannaDecryptor!.exe 2524 !WannaDecryptor!.exe 2736 !WannaDecryptor!.exe 2736 !WannaDecryptor!.exe 2452 !WannaDecryptor!.exe 2452 !WannaDecryptor!.exe 2444 !WannaDecryptor!.exe 2444 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.execmd.exe!WannaDecryptor!.execmd.exedescription pid process target process PID 1932 wrote to memory of 2220 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1932 wrote to memory of 2220 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1932 wrote to memory of 2220 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1932 wrote to memory of 2220 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2220 wrote to memory of 2916 2220 cmd.exe cscript.exe PID 2220 wrote to memory of 2916 2220 cmd.exe cscript.exe PID 2220 wrote to memory of 2916 2220 cmd.exe cscript.exe PID 2220 wrote to memory of 2916 2220 cmd.exe cscript.exe PID 1932 wrote to memory of 2524 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2524 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2524 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2524 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2996 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2996 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2996 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2996 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2012 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2012 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2012 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2012 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 1992 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 1992 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 1992 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 1992 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 664 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 664 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 664 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 664 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 1932 wrote to memory of 2736 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2736 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2736 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2736 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 1048 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1932 wrote to memory of 1048 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1932 wrote to memory of 1048 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1932 wrote to memory of 1048 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1048 wrote to memory of 2452 1048 cmd.exe !WannaDecryptor!.exe PID 1048 wrote to memory of 2452 1048 cmd.exe !WannaDecryptor!.exe PID 1048 wrote to memory of 2452 1048 cmd.exe !WannaDecryptor!.exe PID 1048 wrote to memory of 2452 1048 cmd.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2444 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2444 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2444 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 1932 wrote to memory of 2444 1932 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2452 wrote to memory of 2404 2452 !WannaDecryptor!.exe cmd.exe PID 2452 wrote to memory of 2404 2452 !WannaDecryptor!.exe cmd.exe PID 2452 wrote to memory of 2404 2452 !WannaDecryptor!.exe cmd.exe PID 2452 wrote to memory of 2404 2452 !WannaDecryptor!.exe cmd.exe PID 2404 wrote to memory of 2708 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 2708 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 2708 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 2708 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 1648 2404 cmd.exe WMIC.exe PID 2404 wrote to memory of 1648 2404 cmd.exe WMIC.exe PID 2404 wrote to memory of 1648 2404 cmd.exe WMIC.exe PID 2404 wrote to memory of 1648 2404 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd /c 251671715396937.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2708 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnkFilesize
921B
MD5757b03af52fc028e423b3400a5b02874
SHA1fe02a323e3b6ecf9fb0a5ffeb50347f17722349f
SHA25609cc23769f7f6ca855b7bf22994cf46ae599c0c5a04f5fc594f66ed48767203b
SHA5125e1327d1b6aedcbfced81b5c77b2c936c5e3efe5570c58d13ea2a5dd531b28474e1d30863f228e5828dde5657c00f65a45bd358bf9048c0a529d8ec9ecc80abb
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD532fae88661afd1aa5cce88e8d6a96337
SHA122d6a0c8fe7f46a30dd7852738820318d4730a9d
SHA256564564e71efa02faa72bd7a5723673cbf95ac2496053d52883ca1866b70425db
SHA512531ee493fac12dd7184d1019752aabedfb723e2c68b617392ccb9d9fdb87fcec159a42bb15bd51ef9a8bf038a975c0aa3ff3847f5ff5b2a8c20bd07b1a8a4541
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD538efacc72975509f4db7525d34a7c0dd
SHA1e42558fe3dfa1fad48acf3526e26c87ba504c87f
SHA25652df8b6c1986306adab5e9c2a011ee5132c1a9ee0de05e2a2f1318f63a317ad1
SHA51250e726925e24d31c4aa069ee73bb41b369c06f8b11e7d7733c1b6b2bf9b804c0a72cf0d4119eb40def03dcb773bf2faaef371b24dfa995b8af1c4c06adc69877
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5735ec89bba779b60c360cae0cc4aca38
SHA14ff0c86c700cac9b803350d7d60719be213a4c3b
SHA256fe85fa1fb6038c22f541ccdee4fc136d9121b3962214f44c73ec5866f7b426dc
SHA512fb4ef883f8ed64ce718b7fdeda8497c8fb0785ab9e304462e0bd73f3af92f5ea085831b6f1b7d489ed7afb1e8f13ba2252c6295a52086a73cd6281519ff134ed
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD58ef0f8968807b3d17d68387772b7d7f3
SHA19515f9fe9018af36064822473adc38a90996066f
SHA256790adbad3bcb4eb2b0ff212d7c4a35e124b341128de735081a10528fb7ff67bf
SHA51251967d1bd45ba501c64409f7efa6bf0a6bfdf49b617632f310c7a36e0fa8b94f965aac52eedab3dfe7137f7232ba65fdcfd47527a4c8da57f66821af7d3251e1
-
C:\Users\Admin\AppData\Local\Temp\251671715396937.batFilesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
C:\Users\Admin\AppData\Local\Temp\c.vbsFilesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
C:\Users\Admin\AppData\Local\Temp\c.wryFilesize
628B
MD52c331684b9b5e54a49d0f0eefd5b4d9a
SHA18241e7c8fb91ac75fbe2a45a5afe37fb63028443
SHA256e6b751028ff12f4bdcd6950aa52d109650c8369acd5c19396009def3b3d615d7
SHA51237f8024aa0e4de2d07d6715194d99912fdadb2976364371bfe1d81f219a2b060fe7e7f5a0f15ea3c278ad40b9f6bb5014ab0280e767fc441cee9007815ccd196
-
C:\Users\Admin\AppData\Local\Temp\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\Documents\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
memory/1932-6-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB