wannacry | ce2194c96ebab334f8484a7a3e45e2c3bb74296fc5eddd335abf3f5c65f34967

Resubmissions

22/08/2024, 18:39

240822-xamxpsvarj 10

09/05/2023, 03:14

230509-drczaafh6w 10

Analysis

max time kernel
123s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 18:39

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Size

6.4MB
MD5

8a016c4ee71532f20b892bb35eb954f4
SHA1

204c97ab720d12e6fa04cd8bea6da019c1d4317e
SHA256

ce2194c96ebab334f8484a7a3e45e2c3bb74296fc5eddd335abf3f5c65f34967
SHA512

a0ecffce2b724287e8ab01d23d95839d7e522bc27dc14be26b5089bf8704a46c176a87f02648f6ba646938217afb1b33c6e6557ff3dce528497d9b321310c9bd
SSDEEP

6144:YE9l9yKqIYVTH5DgSg8ajldktM0XXrV2QhMV9qb:YJbLgPluwQhMb

Score

10^/10

wannacry defense_evasion discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 3 IoCs

pid	Process
2684	tasksche.exe
2588	tasksche.exe
1764	tasksche.exe

Loads dropped DLL 1 IoCs

pid	Process
2684	tasksche.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2688	icacls.exe
2108	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-43-01-d2-50-13\WpadDecisionReason = "1"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9932C3C-9694-446E-BCAD-F9D0361EFF47}	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9932C3C-9694-446E-BCAD-F9D0361EFF47}\WpadDecisionReason = "1"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9932C3C-9694-446E-BCAD-F9D0361EFF47}\WpadDecision = "0"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9932C3C-9694-446E-BCAD-F9D0361EFF47}\WpadNetworkName = "Network 3"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-43-01-d2-50-13	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9932C3C-9694-446E-BCAD-F9D0361EFF47}\WpadDecisionTime = a010c898c2f4da01	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9932C3C-9694-446E-BCAD-F9D0361EFF47}\3a-43-01-d2-50-13	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-43-01-d2-50-13\WpadDecisionTime = a010c898c2f4da01	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-43-01-d2-50-13\WpadDecision = "0"	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
836	POWERPNT.EXE
2012	EXCEL.EXE
1344	vlc.exe
1512	vlc.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2588	tasksche.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1344	vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	ehshell.exe
Token: 33	1636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1636	AUDIODG.EXE
Token: 33	1636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1636	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1344	vlc.exe
1344	vlc.exe
1344	vlc.exe
1344	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1344	vlc.exe
1344	vlc.exe
1344	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe
1512	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
836	POWERPNT.EXE
2012	EXCEL.EXE
2012	EXCEL.EXE
2012	EXCEL.EXE
1344	vlc.exe
1512	vlc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2684	2840	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe	31
PID 2840 wrote to memory of 2684	2840	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe	31
PID 2840 wrote to memory of 2684	2840	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe	31
PID 2840 wrote to memory of 2684	2840	2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe	31
PID 2712 wrote to memory of 2588	2712	cmd.exe	33
PID 2712 wrote to memory of 2588	2712	cmd.exe	33
PID 2712 wrote to memory of 2588	2712	cmd.exe	33
PID 2712 wrote to memory of 2588	2712	cmd.exe	33
PID 2588 wrote to memory of 2352	2588	tasksche.exe	34
PID 2588 wrote to memory of 2352	2588	tasksche.exe	34
PID 2588 wrote to memory of 2352	2588	tasksche.exe	34
PID 2588 wrote to memory of 2352	2588	tasksche.exe	34
PID 2588 wrote to memory of 2688	2588	tasksche.exe	35
PID 2588 wrote to memory of 2688	2588	tasksche.exe	35
PID 2588 wrote to memory of 2688	2588	tasksche.exe	35
PID 2588 wrote to memory of 2688	2588	tasksche.exe	35
PID 836 wrote to memory of 2008	836	POWERPNT.EXE	40
PID 836 wrote to memory of 2008	836	POWERPNT.EXE	40
PID 836 wrote to memory of 2008	836	POWERPNT.EXE	40
PID 836 wrote to memory of 2008	836	POWERPNT.EXE	40
PID 2684 wrote to memory of 1764	2684	tasksche.exe	44
PID 2684 wrote to memory of 1764	2684	tasksche.exe	44
PID 2684 wrote to memory of 1764	2684	tasksche.exe	44
PID 2684 wrote to memory of 1764	2684	tasksche.exe	44
PID 1764 wrote to memory of 2088	1764	tasksche.exe	45
PID 1764 wrote to memory of 2088	1764	tasksche.exe	45
PID 1764 wrote to memory of 2088	1764	tasksche.exe	45
PID 1764 wrote to memory of 2088	1764	tasksche.exe	45
PID 1764 wrote to memory of 2108	1764	tasksche.exe	46
PID 1764 wrote to memory of 2108	1764	tasksche.exe	46
PID 1764 wrote to memory of 2108	1764	tasksche.exe	46
PID 1764 wrote to memory of 2108	1764	tasksche.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe
2088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\ProgramData\wkiigmgqs580\tasksche.exe
    C:\ProgramData\wkiigmgqs580\tasksche.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2088
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2108

C:\Users\Admin\AppData\Local\Temp\2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2023-05-08_8a016c4ee71532f20b892bb35eb954f4_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2768

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\wkiigmgqs580\tasksche.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\ProgramData\wkiigmgqs580\tasksche.exe
  C:\ProgramData\wkiigmgqs580\tasksche.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2352
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2688

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\InstallConvertFrom.dll
1⤵
- Modifies registry class
PID:3060

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\StartSplit.ppt"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2008

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\WatchMount.ttf
1⤵
PID:3024

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StopEdit.3gp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MoveAssert.wma"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
504B

MD5
e747bed0e5e1f3a27259240f10ef61c5

SHA1
e6a7f33ac22c45613b07f251fd3cb1dc096d1caf

SHA256
cd47d303a3be3b3ae696c35a4a8201fd336ce910d8191ccfbb98482a27ff3eb2

SHA512
2c25452a1c522d2f4eea8a22014a5cd60b90196f1ecdad72fc1b35c4016d05d1958e3db37c2389816b2631a74dc55402bd2bc8760dbee2e2fc175bd4b4a6be56

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
573B

MD5
896ca196bd71ebd286e7270d7a4b0bbf

SHA1
50215fe6b085fe3a971d5be93a4bd95977e196bf

SHA256
591a5e6f3ce423dac788374a4df8c536f3cd1ff70dcde62bbbc73f2c3771cf2b

SHA512
c03c010137f8962997a31be9692956716b1d4037e3a1957817c4fdf37d1fac7b773a2d11a66c86f2103f0c2d90cd3b7b01035b8517ef20c86269708e9dc657f1

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
e8d6f5d0bdec0b3dd769b15b3f611d9e

SHA1
6f13e5ac38b1f4d7db57c9748451cb0fd7a05830

SHA256
8dc8a0436b2283f19a426294ee6315d837032eadebd354d058c507dd1fd6411c

SHA512
e55241861acce1e5eded2602af3055e509d418f4b3516ed1743b6b740bc49c69e799d419ea694e6befb6706d1601a3ad174758586e0bb85e23ff89e3f00f9d3a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a27cfbfad728fa5ec8e701a6f93cab26

SHA1
deba582c9c8f059590132395f987c2acf54e7a7f

SHA256
c0057fd3141966017014beb71fa2e31d84d3ddd2a9f20e3e6ee26df8165a531f

SHA512
8c095ccb3367903bc5498d0222ee537ef2bbd4f4204fe9a9a9babe2426d8a377240a15892e248e6e252bf3b229eecc8b1c960136988bf3398941e20a1e542b5d

Download Submit
memory/836-13-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/836-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1344-53-0x000007FEED630000-0x000007FEED8E6000-memory.dmp

Filesize
2.7MB

Download
memory/1344-54-0x000007FEEC160000-0x000007FEED210000-memory.dmp

Filesize
16.7MB

Download
memory/1344-52-0x000007FEEF510000-0x000007FEEF544000-memory.dmp

Filesize
208KB

Download
memory/1344-51-0x000000013FD90000-0x000000013FE88000-memory.dmp

Filesize
992KB

Download
memory/1512-91-0x000000013FAE0000-0x000000013FBD8000-memory.dmp

Filesize
992KB

Download
memory/1512-93-0x000007FEF65F0000-0x000007FEF68A6000-memory.dmp

Filesize
2.7MB

Download
memory/1512-92-0x000007FEF7290000-0x000007FEF72C4000-memory.dmp

Filesize
208KB

Download
memory/1512-94-0x000007FEF5E80000-0x000007FEF5F8E000-memory.dmp

Filesize
1.1MB

Download
memory/2012-15-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-12-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2840-0-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2840-10-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3032-37-0x000000001B690000-0x000000001B69A000-memory.dmp

Filesize
40KB

Download
memory/3032-36-0x000000001B690000-0x000000001B69A000-memory.dmp

Filesize
40KB

Download
memory/3032-35-0x000000001D9A0000-0x000000001D9D7000-memory.dmp

Filesize
220KB

Download
memory/3032-33-0x000000001EF30000-0x000000001EFE8000-memory.dmp

Filesize
736KB

Download
memory/3032-32-0x000000001CEB0000-0x000000001CF4E000-memory.dmp

Filesize
632KB

Download
memory/3032-31-0x000000001E760000-0x000000001E8E4000-memory.dmp

Filesize
1.5MB

Download
memory/3032-30-0x000000001E150000-0x000000001E758000-memory.dmp

Filesize
6.0MB

Download