wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
148s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD47E3.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD47F7.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2520 !WannaDecryptor!.exe
2224 !WannaDecryptor!.exe
1000 !WannaDecryptor!.exe
2052 !WannaDecryptor!.exe
Loads dropped DLL 9 IoCs

Processes:

cscript.exeWannaCry.execmd.exe

pid process

2528 cscript.exe
2716 WannaCry.exe
2716 WannaCry.exe
2716 WannaCry.exe
2716 WannaCry.exe
2148 cmd.exe
2148 cmd.exe
2716 WannaCry.exe
2716 WannaCry.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2528	cscript.exe
2716	WannaCry.exe
2716	WannaCry.exe
2716	WannaCry.exe
2716	WannaCry.exe
2148	cmd.exe
2148	cmd.exe
2716	WannaCry.exe
2716	WannaCry.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.execscript.exetaskkill.execmd.exetaskkill.exe!WannaDecryptor!.execmd.exeWMIC.exeWannaCry.exevssadmin.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2432 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2360 taskkill.exe
2340 taskkill.exe
2324 taskkill.exe
1392 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

2052 !WannaDecryptor!.exe

pid	process
2432	vssadmin.exe

pid	process
2360	taskkill.exe
2340	taskkill.exe
2324	taskkill.exe
1392	taskkill.exe

pid	process
2052	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeBackupPrivilege	344	vssvc.exe
Token: SeRestorePrivilege	344	vssvc.exe
Token: SeAuditPrivilege	344	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe
Token: 35	1584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe
Token: 35	1584	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
2520	!WannaDecryptor!.exe
2520	!WannaDecryptor!.exe
2224	!WannaDecryptor!.exe
2224	!WannaDecryptor!.exe
1000	!WannaDecryptor!.exe
1000	!WannaDecryptor!.exe
2052	!WannaDecryptor!.exe
2052	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 2716 wrote to memory of 2728	2716	WannaCry.exe	cmd.exe
PID 2716 wrote to memory of 2728	2716	WannaCry.exe	cmd.exe
PID 2716 wrote to memory of 2728	2716	WannaCry.exe	cmd.exe
PID 2716 wrote to memory of 2728	2716	WannaCry.exe	cmd.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	cscript.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	cscript.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	cscript.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	cscript.exe
PID 2716 wrote to memory of 2520	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2520	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2520	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2520	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2360	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2360	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2360	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2360	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2340	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2340	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2340	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2340	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2324	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2324	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2324	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2324	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 1392	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 1392	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 1392	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 1392	2716	WannaCry.exe	taskkill.exe
PID 2716 wrote to memory of 2224	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2224	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2224	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2224	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2148	2716	WannaCry.exe	cmd.exe
PID 2716 wrote to memory of 2148	2716	WannaCry.exe	cmd.exe
PID 2716 wrote to memory of 2148	2716	WannaCry.exe	cmd.exe
PID 2716 wrote to memory of 2148	2716	WannaCry.exe	cmd.exe
PID 2148 wrote to memory of 1000	2148	cmd.exe	!WannaDecryptor!.exe
PID 2148 wrote to memory of 1000	2148	cmd.exe	!WannaDecryptor!.exe
PID 2148 wrote to memory of 1000	2148	cmd.exe	!WannaDecryptor!.exe
PID 2148 wrote to memory of 1000	2148	cmd.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2052	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2052	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2052	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 2716 wrote to memory of 2052	2716	WannaCry.exe	!WannaDecryptor!.exe
PID 1000 wrote to memory of 1264	1000	!WannaDecryptor!.exe	cmd.exe
PID 1000 wrote to memory of 1264	1000	!WannaDecryptor!.exe	cmd.exe
PID 1000 wrote to memory of 1264	1000	!WannaDecryptor!.exe	cmd.exe
PID 1000 wrote to memory of 1264	1000	!WannaDecryptor!.exe	cmd.exe
PID 1264 wrote to memory of 2432	1264	cmd.exe	vssadmin.exe
PID 1264 wrote to memory of 2432	1264	cmd.exe	vssadmin.exe
PID 1264 wrote to memory of 2432	1264	cmd.exe	vssadmin.exe
PID 1264 wrote to memory of 2432	1264	cmd.exe	vssadmin.exe
PID 1264 wrote to memory of 1584	1264	cmd.exe	WMIC.exe
PID 1264 wrote to memory of 1584	1264	cmd.exe	WMIC.exe
PID 1264 wrote to memory of 1584	1264	cmd.exe	WMIC.exe
PID 1264 wrote to memory of 1584	1264	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c 141701722786771.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2528

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2432

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
925B

MD5
4644767486116bf13e91564f12deba72

SHA1
7f037942aa0ac87b8e809a9d35c2e4af75818398

SHA256
920ed52ae836ade580e05532ace013bcdf3b8c55dc4e92f23583ff98860f4b23

SHA512
ddc8113273453312d47bcbd45917242a14940243230614e575d093404ce0ce49b51908ff27010c5c6e896757d251b77d130cc088d838bcd9536fadd92d530bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
218a38ce0b6ce783bc44b31da2839771

SHA1
f8f4fba939c1cdbd9f468d281c76977204cfcbad

SHA256
68c081d3c576b01d53212d0d0be03532792a58954111a2ebc7220d6b552699ca

SHA512
9f6cfba980052f12a0c7c5a9d376660127e8f76e31bab9f24b31007178ae5836f01f8958b039cc17de5e5d156b87d862b1f85a456a8fafec152d80ec8cf84511

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
876e29657ad8a84140d402e598685a3a

SHA1
cef48194bd1cd188a180133eb65f346beedaabfc

SHA256
b13ae2bc6dcc408481593655da09c77f394a2a027092413e3d7ca57b0f69b099

SHA512
bd58b1c88dac694e5e051de16a9540bb8585fa4cc2bf3baf35b38ba3e8cf366cd3a6074884d21a1982971fa2067ed5dbf28b2a6058dccf421b6b0947c4479ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
a5936e0511cc238faa53e1900a3e25da

SHA1
b21dd5669131a3a736681fde27dc3965839e117f

SHA256
27e638b8640a558134d05fcf1312ec44facade19aae8545224cbfb6871731e53

SHA512
26f295586aed9504dd171dbd7ba74b9e0fd4b81ebf8e5c21cb67234c76e52274aa8011d46b355fd9ca2f7b9a19532360884b79f5fd6bf4510e266cf5e1b5a007

Download Submit
C:\Users\Admin\AppData\Local\Temp\141701722786771.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
3213fa7e6b7dc43817f81c377bfeedcb

SHA1
8dd7b911a107fb25eaa4cc45437cbbc3166916e1

SHA256
b68adb308714fd49ea769ec1d2e4def654b070795cdc1311a9065c5d452370df

SHA512
10a902980f3e19abb3e09be631c7282e63a31de10ea15d9e500a30ae0d5206b8e65c62a9be10e49f033d173d173e75554e76327c51ce1b167ef9a98a7c29bbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
memory/2716-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download