Analysis
-
max time kernel
726s -
max time network
616s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 18:21
Static task
static1
Behavioral task
behavioral1
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win11-20240508-en
General
-
Target
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD252E.tmp be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Executes dropped EXE 4 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2688 !WannaDecryptor!.exe 1256 !WannaDecryptor!.exe 904 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe -
Loads dropped DLL 9 IoCs
Processes:
cscript.exebe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.exepid process 2792 cscript.exe 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 1104 cmd.exe 1104 cmd.exe 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe\" /r" be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2620 vssadmin.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1612 taskkill.exe 1624 taskkill.exe 1688 taskkill.exe 1672 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
!WannaDecryptor!.exepid process 1260 !WannaDecryptor!.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeBackupPrivilege 2996 vssvc.exe Token: SeRestorePrivilege 2996 vssvc.exe Token: SeAuditPrivilege 2996 vssvc.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemProfilePrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeProfSingleProcessPrivilege 556 WMIC.exe Token: SeIncBasePriorityPrivilege 556 WMIC.exe Token: SeCreatePagefilePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeDebugPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeRemoteShutdownPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: 33 556 WMIC.exe Token: 34 556 WMIC.exe Token: 35 556 WMIC.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemProfilePrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeProfSingleProcessPrivilege 556 WMIC.exe Token: SeIncBasePriorityPrivilege 556 WMIC.exe Token: SeCreatePagefilePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeDebugPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeRemoteShutdownPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: 33 556 WMIC.exe Token: 34 556 WMIC.exe Token: 35 556 WMIC.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
!WannaDecryptor!.exeNOTEPAD.EXEpid process 1260 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe 1744 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2688 !WannaDecryptor!.exe 2688 !WannaDecryptor!.exe 1256 !WannaDecryptor!.exe 1256 !WannaDecryptor!.exe 904 !WannaDecryptor!.exe 904 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.execmd.exe!WannaDecryptor!.execmd.exedescription pid process target process PID 2240 wrote to memory of 2800 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2240 wrote to memory of 2800 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2240 wrote to memory of 2800 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2240 wrote to memory of 2800 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2800 wrote to memory of 2792 2800 cmd.exe cscript.exe PID 2800 wrote to memory of 2792 2800 cmd.exe cscript.exe PID 2800 wrote to memory of 2792 2800 cmd.exe cscript.exe PID 2800 wrote to memory of 2792 2800 cmd.exe cscript.exe PID 2240 wrote to memory of 2688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 2688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 2688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 2688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1612 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1612 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1612 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1612 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1624 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1624 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1624 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1624 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1688 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1672 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1672 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1672 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1672 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2240 wrote to memory of 1256 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1256 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1256 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1256 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1104 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2240 wrote to memory of 1104 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2240 wrote to memory of 1104 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2240 wrote to memory of 1104 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1104 wrote to memory of 904 1104 cmd.exe !WannaDecryptor!.exe PID 1104 wrote to memory of 904 1104 cmd.exe !WannaDecryptor!.exe PID 1104 wrote to memory of 904 1104 cmd.exe !WannaDecryptor!.exe PID 1104 wrote to memory of 904 1104 cmd.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1260 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1260 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1260 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2240 wrote to memory of 1260 2240 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 904 wrote to memory of 1976 904 !WannaDecryptor!.exe cmd.exe PID 904 wrote to memory of 1976 904 !WannaDecryptor!.exe cmd.exe PID 904 wrote to memory of 1976 904 !WannaDecryptor!.exe cmd.exe PID 904 wrote to memory of 1976 904 !WannaDecryptor!.exe cmd.exe PID 1976 wrote to memory of 2620 1976 cmd.exe vssadmin.exe PID 1976 wrote to memory of 2620 1976 cmd.exe vssadmin.exe PID 1976 wrote to memory of 2620 1976 cmd.exe vssadmin.exe PID 1976 wrote to memory of 2620 1976 cmd.exe vssadmin.exe PID 1976 wrote to memory of 556 1976 cmd.exe WMIC.exe PID 1976 wrote to memory of 556 1976 cmd.exe WMIC.exe PID 1976 wrote to memory of 556 1976 cmd.exe WMIC.exe PID 1976 wrote to memory of 556 1976 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.execmd /c 21251715797596.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2620 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1260
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnkFilesize
921B
MD5f7b27d9e5b3c286e6247e9b1e27f3384
SHA11289c34c1825549bbe421bbdced9954057c93051
SHA256022e96ab76c286cb5ca164acb50f7bdc5c1e0d2617c0568cfdbafc9732a47d00
SHA51203e993f65226142f18421666eec74d6db91eb113a19fa19ec0c3cfaea5ef37677afc5b23283b83fe54946a4402999d369de1cfbc105e3e5af38567e586762c99
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD54cf030cd523d48f171faba09b65e09f4
SHA10d25d8071c411b44428f70d17ec6f021bff7f1d9
SHA256db8f677738003b840d96e8769da5b9fdaf33f74930f4e54bdae48c7bc2b611e5
SHA5121cf1d77d62f62715b8b069575e8caa0747a7899a476b72227bd1bb503b9c6f2362c2829f4155898632f3578e13ff25f7c63b2dc365969e8a9c7f2215f5ad46ae
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD51a89fb89659c38066dcd25c5b44108a3
SHA1a95dd39e27ccca66991c500ffb54eb78b00a9ed7
SHA2563c86e101d1165e5a21b7190b12bf7badb7a55eac680b9bba4693bbd41ec99e9e
SHA512b8ebf28f3c66d474d7408a299c99b75054b5d46b9217a4a0412c614fb42a751a3ae6f77c15b43c0d178643f53d15c8308115d8e055fddc173d3106ad0fb93902
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5f2d1021ed53a09e63ce14df5d20222fd
SHA1adfb4a1bc1a1c445548892374cddb3c702bb71b0
SHA2564ac89484de6b4343f947aaacd634976a4daf2c8c97ac5158568695f23067f30e
SHA512add0043f914bd4bef545035e177f5d4dc10a2ff1e73cec5b1c05cfb3ebc64cbdec2fbef8321945b01cbec5c775a86eb385d91907a55b6d73bc59e6bb91d97387
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5e9aed92c06c35353305ca3da85f8993a
SHA19661b4059e9a2abacd82c978d126aaef8f8ced1c
SHA2564a1ea8aa255880880c3a90b090c62af52fc33b7824f0bc5572e7055f6be69ea1
SHA512db6d3209900f7595284a7e406eff28ee3c61b05992114c3ad56c467b47d9a53ed6d8d5ffbacca7f7735166289eabcd1d0e2f92cac8b03bb4d4751039b10cf1a9
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5963e22e21373f0b3121f8c4abd3ac693
SHA14d4d0fe630e8dec808ace06e5585932684cf224e
SHA25632053e15c0a740c34e8c99bc7b8c906f4a72ab8b47e811a23017b5cf15d13878
SHA5127e7d3f7f7dadbb3e090ea445f5c66dfd0e92c1c7bb3a9fc272d0397729fc3aaf3777f8dd0fefa57be8fd6a988c56a3d51184ce93f0e5b39be510de861f9f10bf
-
C:\Users\Admin\AppData\Local\Temp\21251715797596.batFilesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
C:\Users\Admin\AppData\Local\Temp\c.vbsFilesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
C:\Users\Admin\AppData\Local\Temp\c.wryFilesize
628B
MD5300798609a50008fdd26b9f0f7c8a12d
SHA1e617b2ac85775ee8b6f52a59e272fdc759df93e5
SHA256f79ffcbbce0965fbff68373190b70bc22a73e90b5a7caf6240068eb4e1553d6d
SHA5123724a695f1ec3a9070d1adf8cee229df286ca80d36158d11772dfb3556adf2fdf79a4ef538f3ad78e532a9ffac4aafeb1e5a3042a4ad4316e0eccf3e0711fe92
-
C:\Users\Admin\AppData\Local\Temp\f.wryFilesize
142B
MD5ea6e715fc641cd15ff7326521172a01d
SHA1479f68301d472848da18f86ca9b702198ef3df32
SHA256727cd8a52e90c4bea9ec0030b7bb8cc727e7b9f3edf987a1df7956f8c51a17c0
SHA5125d8fd67f8c979cd2ecbd7e5eb736b83d2bade13eb06d17e0fcaa9f38a439a805f08686830680eaae175d3f85ff0c1f480e19cfd1e598bab99beebd764e90771f
-
C:\Users\Admin\AppData\Local\Temp\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\AppData\Roaming\CompareWait.pdf.WCRYFilesize
272KB
MD5eb1ab634bef03983c03c50bcd941a3c9
SHA11f2ca6924240cdf648fe75394f39a6828f8852ac
SHA256e8d37d402ec5cc316c3777eb71a9e9bb25ad21d8e51f61aef1519ff14c01f0b0
SHA512cc43db48674cb31e3092955493630fcb9bd4e9d3ea6ea64550058617ffdf31376e2483d529b6ef2bdc3f933304d808b82516d993b6919dcad759b77c901e3029
-
C:\Users\Admin\Documents\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WCRYFilesize
48KB
MD5c63ef54b5d6788df64c49b0105cf1f30
SHA1ac291681c6423ec873b16a0706342d930898d1ef
SHA2568853fab23b976e431a0d0157c0f973057c40a9704263bb626effa1b3d8730e27
SHA5124a87ce2f3bcd4bf3e483821decd2226177e99fd5ae04e553bc2745a47394e8b616e2bbc03239f31f9406df133a7f5dc60a414ee4f01cab8377ad1304289226ed
-
memory/2240-6-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB