wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
599s
max time network
501s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-01-2025 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8CE4.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8CEB.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
2792	!WannaDecryptor!.exe
1892	!WannaDecryptor!.exe
476	!WannaDecryptor!.exe
744	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 4 IoCs

evasion

pid	Process
216	taskkill.exe
3036	taskkill.exe
3116	taskkill.exe
2416	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
816	WINWORD.EXE
816	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4868	WMIC.exe
4868	WMIC.exe
4868	WMIC.exe
4868	WMIC.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4868	WMIC.exe
Token: SeSecurityPrivilege	4868	WMIC.exe
Token: SeTakeOwnershipPrivilege	4868	WMIC.exe
Token: SeLoadDriverPrivilege	4868	WMIC.exe
Token: SeSystemProfilePrivilege	4868	WMIC.exe
Token: SeSystemtimePrivilege	4868	WMIC.exe
Token: SeProfSingleProcessPrivilege	4868	WMIC.exe
Token: SeIncBasePriorityPrivilege	4868	WMIC.exe
Token: SeCreatePagefilePrivilege	4868	WMIC.exe
Token: SeBackupPrivilege	4868	WMIC.exe
Token: SeRestorePrivilege	4868	WMIC.exe
Token: SeShutdownPrivilege	4868	WMIC.exe
Token: SeDebugPrivilege	4868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4868	WMIC.exe
Token: SeRemoteShutdownPrivilege	4868	WMIC.exe
Token: SeUndockPrivilege	4868	WMIC.exe
Token: SeManageVolumePrivilege	4868	WMIC.exe
Token: 33	4868	WMIC.exe
Token: 34	4868	WMIC.exe
Token: 35	4868	WMIC.exe
Token: 36	4868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4868	WMIC.exe
Token: SeSecurityPrivilege	4868	WMIC.exe
Token: SeTakeOwnershipPrivilege	4868	WMIC.exe
Token: SeLoadDriverPrivilege	4868	WMIC.exe
Token: SeSystemProfilePrivilege	4868	WMIC.exe
Token: SeSystemtimePrivilege	4868	WMIC.exe
Token: SeProfSingleProcessPrivilege	4868	WMIC.exe
Token: SeIncBasePriorityPrivilege	4868	WMIC.exe
Token: SeCreatePagefilePrivilege	4868	WMIC.exe
Token: SeBackupPrivilege	4868	WMIC.exe
Token: SeRestorePrivilege	4868	WMIC.exe
Token: SeShutdownPrivilege	4868	WMIC.exe
Token: SeDebugPrivilege	4868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4868	WMIC.exe
Token: SeRemoteShutdownPrivilege	4868	WMIC.exe
Token: SeUndockPrivilege	4868	WMIC.exe
Token: SeManageVolumePrivilege	4868	WMIC.exe
Token: 33	4868	WMIC.exe
Token: 34	4868	WMIC.exe
Token: 35	4868	WMIC.exe
Token: 36	4868	WMIC.exe
Token: SeBackupPrivilege	2316	vssvc.exe
Token: SeRestorePrivilege	2316	vssvc.exe
Token: SeAuditPrivilege	2316	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
744	!WannaDecryptor!.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2792	!WannaDecryptor!.exe
2792	!WannaDecryptor!.exe
1892	!WannaDecryptor!.exe
1892	!WannaDecryptor!.exe
476	!WannaDecryptor!.exe
476	!WannaDecryptor!.exe
744	!WannaDecryptor!.exe
744	!WannaDecryptor!.exe
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE
816	WINWORD.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 5116	3488	WannaCry.exe	80
PID 3488 wrote to memory of 5116	3488	WannaCry.exe	80
PID 3488 wrote to memory of 5116	3488	WannaCry.exe	80
PID 5116 wrote to memory of 948	5116	cmd.exe	82
PID 5116 wrote to memory of 948	5116	cmd.exe	82
PID 5116 wrote to memory of 948	5116	cmd.exe	82
PID 3488 wrote to memory of 2792	3488	WannaCry.exe	83
PID 3488 wrote to memory of 2792	3488	WannaCry.exe	83
PID 3488 wrote to memory of 2792	3488	WannaCry.exe	83
PID 3488 wrote to memory of 3036	3488	WannaCry.exe	85
PID 3488 wrote to memory of 3036	3488	WannaCry.exe	85
PID 3488 wrote to memory of 3036	3488	WannaCry.exe	85
PID 3488 wrote to memory of 3116	3488	WannaCry.exe	86
PID 3488 wrote to memory of 3116	3488	WannaCry.exe	86
PID 3488 wrote to memory of 3116	3488	WannaCry.exe	86
PID 3488 wrote to memory of 2416	3488	WannaCry.exe	87
PID 3488 wrote to memory of 2416	3488	WannaCry.exe	87
PID 3488 wrote to memory of 2416	3488	WannaCry.exe	87
PID 3488 wrote to memory of 216	3488	WannaCry.exe	88
PID 3488 wrote to memory of 216	3488	WannaCry.exe	88
PID 3488 wrote to memory of 216	3488	WannaCry.exe	88
PID 3488 wrote to memory of 1892	3488	WannaCry.exe	95
PID 3488 wrote to memory of 1892	3488	WannaCry.exe	95
PID 3488 wrote to memory of 1892	3488	WannaCry.exe	95
PID 3488 wrote to memory of 4752	3488	WannaCry.exe	96
PID 3488 wrote to memory of 4752	3488	WannaCry.exe	96
PID 3488 wrote to memory of 4752	3488	WannaCry.exe	96
PID 4752 wrote to memory of 476	4752	cmd.exe	98
PID 4752 wrote to memory of 476	4752	cmd.exe	98
PID 4752 wrote to memory of 476	4752	cmd.exe	98
PID 3488 wrote to memory of 744	3488	WannaCry.exe	100
PID 3488 wrote to memory of 744	3488	WannaCry.exe	100
PID 3488 wrote to memory of 744	3488	WannaCry.exe	100
PID 476 wrote to memory of 4412	476	!WannaDecryptor!.exe	101
PID 476 wrote to memory of 4412	476	!WannaDecryptor!.exe	101
PID 476 wrote to memory of 4412	476	!WannaDecryptor!.exe	101
PID 4412 wrote to memory of 4868	4412	cmd.exe	103
PID 4412 wrote to memory of 4868	4412	cmd.exe	103
PID 4412 wrote to memory of 4868	4412	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 306131736660679.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WriteSet.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
89ea7028790ba6f74a477d286acf5ffe

SHA1
aec595385a5364953721abfd80899ebb96d79c47

SHA256
e6d90bce935e0f12bd77ddcb517f111a9f5d34d876a0f846f0a30ac10dc7328e

SHA512
8fc846bada9fa02bffbbaebb24ae21b296b61346efcffb81a0dc1f652e994568bc26c7ed03e31293932493de5e13a02de313d66b6517db1e0815d2b9da7e5fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
9ff69be36c62e319d30cf499269da4ec

SHA1
ba1bcab20aeff387b0efeda61875ccb44d1d233e

SHA256
a3df1a018ffce4dd0515e7d467bc0d7dc45a56d3bab06ef624436a4c97bc1351

SHA512
f9781656da549b56408aa58098864122b4ff711b67847b2c17fa7b2d39ec04c039ecb2a77a21b96675fcc31cc5c4115965fe534b39d0dbd0b2ce37e7f677a429

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e915e520dde69c298cb3ea1907379597

SHA1
ce767dcbe3566f47ab537f297ab87c3d58ca336a

SHA256
840a0dbb10ec433f58b72144f880e52098bbef5e09598b4ebed98fd951bb91d9

SHA512
351c96c4f38514e20dbc9d52806d951902035477603b778da8c6d777e78b909a55adf6f77ac80bd3930ef62b7bac739f0d176b79046fba65dbb81e886f476823

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
91615f2883e88b664674320b0402d52a

SHA1
ebb392b099481c06eeb4628e2440006b2c48f604

SHA256
791f03c3bf525293e0958c42dd6c04bceb8a81acd735a5a2404ee52b29441013

SHA512
991781e23ef38a0f8f35d409ddcc3f977a3282c6e88c9f213625f3cc81beb0ed1046a317b6b9d8f0510b9429c311a1e410dc37f3af24952e4264cb8e14fd5b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\306131736660679.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
41061db0f5f4fb03652cb0b2ce9651d7

SHA1
c5c9c7676452840f9f8ef1e9ceff1c244f5cc94d

SHA256
3b868d9b607b8671b5937d02b79a76acabd69e93c7879cef2484b329228134e2

SHA512
2872a70e4bcea2f4d8152bc46e2c4ead98e37117458b4f8be4b5603b580c3f239d9ea878380b5d8ed6b95e9c43ad52d725d8b55962b6919a70b728bf3a381362

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
01ed3b314cde21aad45e4c5f450b93fd

SHA1
08cb0f96769d5a684a219fb8203017f64b122d46

SHA256
f879e4abfb041f7fbe96a333eae284fb2fe8e155e64ac7ab04f61c611cc75cea

SHA512
1cb94748a03104b2913e8a118b77ac11fdf959e7a9075c09233bda86f25af01eee404716438009d6b87ce57702292ca2ad8e9f630ed2f69df8a8988293e4ff9b

Download Submit
C:\Users\Admin\Desktop\WriteSet.docx

Filesize
15KB

MD5
8d88e6d0fb7b2ad4c2e222a17888b93c

SHA1
44ad1a3709bc8bd34cab65b4d34b5e0b741e85ed

SHA256
86a790509f2e05dc16d65a9f06ab86c90b8bf85e52a668ce8c89bf2d5a76ec8c

SHA512
f9a614c49b2350956db4ef078c9c33d112f6bec03012a6c1adaf1db961af40f58f1dc755f92e48f3639a6335cd2e988b8105afa3d7302a505b018b30f5a5618b

Download Submit
memory/816-1153-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1154-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1155-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1156-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1157-0x00007FF9DE6B0000-0x00007FF9DE6C0000-memory.dmp

Filesize
64KB

Download
memory/816-1158-0x00007FF9DE6B0000-0x00007FF9DE6C0000-memory.dmp

Filesize
64KB

Download
memory/816-1152-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1192-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1191-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1194-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/816-1193-0x00007FF9E0950000-0x00007FF9E0960000-memory.dmp

Filesize
64KB

Download
memory/3488-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download