wannacry | 01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(2017) WannaCry.exe
Size

224KB
MD5

75031983cb851f3475c460a40797fe62
SHA1

4ee0238f082123aeb7642ea2e427f57cf4ee954a
SHA256

01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4
SHA512

635b72c7fb8d8b3818364a8a239941d4b4ec608f3d87ee966ce6abd599b847f2aee1e895d996391a1802a57afb41127fbc5e87020b5b280aca2066039e94ca36
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/Efc:+5RwTs/dSXj84mRXPemxdBlPvLzLe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

(2017) WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8E17.tmp	(2017) WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8E1E.tmp	(2017) WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

5104 !WannaDecryptor!.exe
3972 !WannaDecryptor!.exe
3960 !WannaDecryptor!.exe
1336 !WannaDecryptor!.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

(2017) WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\(2017) WannaCry.exe\" /r"	(2017) WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.execmd.exeWMIC.exe(2017) WannaCry.execscript.exe!WannaDecryptor!.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exe!WannaDecryptor!.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(2017) WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

896 taskkill.exe
2372 taskkill.exe
4440 taskkill.exe
3032 taskkill.exe

pid	process
896	taskkill.exe
2372	taskkill.exe
4440	taskkill.exe
3032	taskkill.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1048	WMIC.exe
Token: SeSecurityPrivilege	1048	WMIC.exe
Token: SeTakeOwnershipPrivilege	1048	WMIC.exe
Token: SeLoadDriverPrivilege	1048	WMIC.exe
Token: SeSystemProfilePrivilege	1048	WMIC.exe
Token: SeSystemtimePrivilege	1048	WMIC.exe
Token: SeProfSingleProcessPrivilege	1048	WMIC.exe
Token: SeIncBasePriorityPrivilege	1048	WMIC.exe
Token: SeCreatePagefilePrivilege	1048	WMIC.exe
Token: SeBackupPrivilege	1048	WMIC.exe
Token: SeRestorePrivilege	1048	WMIC.exe
Token: SeShutdownPrivilege	1048	WMIC.exe
Token: SeDebugPrivilege	1048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1048	WMIC.exe
Token: SeRemoteShutdownPrivilege	1048	WMIC.exe
Token: SeUndockPrivilege	1048	WMIC.exe
Token: SeManageVolumePrivilege	1048	WMIC.exe
Token: 33	1048	WMIC.exe
Token: 34	1048	WMIC.exe
Token: 35	1048	WMIC.exe
Token: 36	1048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1048	WMIC.exe
Token: SeSecurityPrivilege	1048	WMIC.exe
Token: SeTakeOwnershipPrivilege	1048	WMIC.exe
Token: SeLoadDriverPrivilege	1048	WMIC.exe
Token: SeSystemProfilePrivilege	1048	WMIC.exe
Token: SeSystemtimePrivilege	1048	WMIC.exe
Token: SeProfSingleProcessPrivilege	1048	WMIC.exe
Token: SeIncBasePriorityPrivilege	1048	WMIC.exe
Token: SeCreatePagefilePrivilege	1048	WMIC.exe
Token: SeBackupPrivilege	1048	WMIC.exe
Token: SeRestorePrivilege	1048	WMIC.exe
Token: SeShutdownPrivilege	1048	WMIC.exe
Token: SeDebugPrivilege	1048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1048	WMIC.exe
Token: SeRemoteShutdownPrivilege	1048	WMIC.exe
Token: SeUndockPrivilege	1048	WMIC.exe
Token: SeManageVolumePrivilege	1048	WMIC.exe
Token: 33	1048	WMIC.exe
Token: 34	1048	WMIC.exe
Token: 35	1048	WMIC.exe
Token: 36	1048	WMIC.exe
Token: SeBackupPrivilege	4808	vssvc.exe
Token: SeRestorePrivilege	4808	vssvc.exe
Token: SeAuditPrivilege	4808	vssvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
5104	!WannaDecryptor!.exe
5104	!WannaDecryptor!.exe
3972	!WannaDecryptor!.exe
3972	!WannaDecryptor!.exe
3960	!WannaDecryptor!.exe
3960	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

(2017) WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 3688 wrote to memory of 4872	3688	(2017) WannaCry.exe	cmd.exe
PID 3688 wrote to memory of 4872	3688	(2017) WannaCry.exe	cmd.exe
PID 3688 wrote to memory of 4872	3688	(2017) WannaCry.exe	cmd.exe
PID 4872 wrote to memory of 1340	4872	cmd.exe	cscript.exe
PID 4872 wrote to memory of 1340	4872	cmd.exe	cscript.exe
PID 4872 wrote to memory of 1340	4872	cmd.exe	cscript.exe
PID 3688 wrote to memory of 5104	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 5104	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 5104	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 896	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 896	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 896	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 2372	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 2372	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 2372	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 3032	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 3032	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 3032	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 4440	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 4440	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 4440	3688	(2017) WannaCry.exe	taskkill.exe
PID 3688 wrote to memory of 3972	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 3972	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 3972	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 1892	3688	(2017) WannaCry.exe	cmd.exe
PID 3688 wrote to memory of 1892	3688	(2017) WannaCry.exe	cmd.exe
PID 3688 wrote to memory of 1892	3688	(2017) WannaCry.exe	cmd.exe
PID 1892 wrote to memory of 3960	1892	cmd.exe	!WannaDecryptor!.exe
PID 1892 wrote to memory of 3960	1892	cmd.exe	!WannaDecryptor!.exe
PID 1892 wrote to memory of 3960	1892	cmd.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 1336	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 1336	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3688 wrote to memory of 1336	3688	(2017) WannaCry.exe	!WannaDecryptor!.exe
PID 3960 wrote to memory of 1064	3960	!WannaDecryptor!.exe	cmd.exe
PID 3960 wrote to memory of 1064	3960	!WannaDecryptor!.exe	cmd.exe
PID 3960 wrote to memory of 1064	3960	!WannaDecryptor!.exe	cmd.exe
PID 1064 wrote to memory of 1048	1064	cmd.exe	WMIC.exe
PID 1064 wrote to memory of 1048	1064	cmd.exe	WMIC.exe
PID 1064 wrote to memory of 1048	1064	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\(2017) WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\(2017) WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 310741730021895.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
ac5cf290e01b5a22ce35816ea5e62786

SHA1
4b0e78f596fa8ebbab0fbfc74be75742221178cb

SHA256
c649d6fc9c921bb913ceca895b26e7549383254e33a68c74e82b406159172495

SHA512
5f7ef807ff41a8cc684762a5732b83c16e57e98494bc28262bf25db204e4901e916a6b074e06622f411236fff57acabb8fb2b9fd58d4527fa98f17897223434b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
beb244bad749b759f1c0804271b5efc5

SHA1
8ea2339ee855eb096734385ea63843f183c8d98b

SHA256
d20ec4ff0e275be570e7938cdf85eb49c92f4800cabeb86909d42151345071af

SHA512
2e55e890178b8ad1a2673c087fb8f22d98ea29e9ee73c0c9827b464eeb1bb9a51639c7d2d3ae88d1196be25f98a7990a01261a828859b3380b20116ee8261698

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
10dcb747d72d78dddb39b07b62eb9073

SHA1
48f6ba2cf3ae361be348d9bb2784d3c77277e6e7

SHA256
c301b6843938d9b1f910a2ce98c7e18992900434cbd0d694a9832be977535c95

SHA512
30b7533ed05122c5628a37c715a22b26c4357b9d38a9b7dea196c9d6e154daf50c969159c8404e4748f85faa71b675d95c4891cc5b93566938472cdbfadadbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
5f3885bbc172d7d5f3db888b96cb7cd7

SHA1
21477f41315730b79108f79c5a3cfa8804701c11

SHA256
13bfef9824f04de5b1c2732355043fbee2e82101527575bccbfc4180d7ba58b1

SHA512
b5979ef2d901f28050809c995d9fb04c6c1890cf8c223dd6fe35e5555779f739d8eb3bc915818284e27b166f8cb964f966f2d93581126928c81c597d0eefac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\310741730021895.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
19d874cfd897e0557fef962774d16f74

SHA1
0bf3e6fdc130bb1e61cf25ecd5772cf967072fbe

SHA256
fce397b7437346c8891062b1eaaad47540f595469d4b98ebe068c2d6dd9e7d63

SHA512
f8ad3d2edcc8b350cce5885449ef9ee0a067f632a7cd372d505f05e40a5ca2555dd5f1879d2bc490350bbd3b2b85730de6a1b0df44394bffff08cf113295e77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/3688-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download