Introduction
This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)
WannaCry
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Discalimer
sha256sum: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
MemoryDump
sha256sum: 76e8be1a3761878325fdff39a5ab1ff84922a0b18947e5268dd9175795ad2bf0
Sample: https://mega.nz/#!Au5xlCAS!KX5ZJKYzQgDHSa72lPFwqKL6CsZS7oQGbyyQrMTH9XY
Analysis
Six-step investigative methodology by SANS (digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf)
The only one URL with unknown strings in it was found and later discovered it as a killswitch. Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this: If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack. Later security researcher from MalwareTech found and activated the kill switch by registering the web domain and posting a page on it
The above indicators says that wannacry can drop binaries on the fly to run different tasks on system and let's hope to see these process in the upcoming memory analysis.
we can see few more interesting strings related to Mutex creation on on infected system and also granting or modifying discretionary access controls on infected system. A strange password type of string 'WNcry@2ol7' could also be spotted
A further deep dive into strings shows various files with .wnry extension. A Dynamic analysis can only help understand these files.
Let's assume that now we have only memory dump in hand and no more evidence of Indicators of compromise available. Using Volatility we can uncover memory resident artifacts and reconstruct the timeline of activities done on infected system. Start with volatility imageinfo
Run pslist command look at running processes at the time of acquiring memory. It's always good to have knowledge of native windows related processes so that the other processes can be easily identified
PID 1940 initiated PID 740 and both processes look completely strange and also tasksche was spotted in strings of wannacry binary. Running psscan plugin will also list all processes including terminated processes, which can help us identify process hierarchy and the timeline of creation
and if we sort process creation time using sort It would be easy to understand timeline of process creation Below unknown processes can be considered as suspicious
looking at the order of process creation taskse.exe process was created before taskdl.exe process but still no idea of what these processes do. Below are the results of famous search engines about these processes
These samples were already analyzed by giant threat intelligence and AV vendors but, in reality lot of new indicators can be uncovered in short time when it comes to unknown threats
Run dlllist plugin to identify process DLLs and path where the process has executed from, this can give clear understanding of malicious processes if they are run by dropped binaries in uncommon folders.
Identify the path of the binary for process tasksche.exe which clearly looks uncommon and suspicious. It's recommended to look at the DLLs loaded to understand the characteristics of the process like encryption,regstriy modification and socket creation etc.
Process @WanaDecryptor@ with PID 740 also uses the same path of process tasksche.exe. Based on DLLs loaded by @WanaDecryptor@ process, it can perform socket creation (Ws2_32.dll), high level network communications(WININET.DLL), querying registry(ADVAPI32.DLL), encryption (SECURE32.DLL) and interacting with browsers (URLMON.DLL)like internet explorer etc.
Looking at the handles of PID 1940, It has created a mutex (Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware) named ''MsWinZonesCacheCounterMutexA''
A quick search for this mutex on google gives
Mutex "MsWinZonesCacheCounterMutexA" can be one of IOCs for identifying infected systems. Like mutex as one of types of handles for any process, volatility handles plugin can also identify File, Key, Event, threads and port type of handles for any process. A quick look at files accessed by PID 1940
It's recommended to look at Key handle type for any process which can give any insight about registry changes by that process. Below are Key type of handle for process PID 740
No persistent mechanism was found yet, it can be identified by printkey plugin by accessing Run, Runonce, Winlogonkeys, BootExcuteKey, startup folders and services key
Network related artifacts can be identified by connections plugin for active connections and connscan plugin for terminated connections
Sadly, no connections were found. Since memory dump can also hold some network connections, we can use data carving tool bulk_extractor to extract network connections from memory . volatility ethscan plugin can also extract pcap from memory dump
The extracted pcap was opened in wireshark to see any killswitch related domain name and other netowrk connections. Unfortunately there was no killswitch found in this pcap (extracted from memory) except few unknown remote IPs.
Using tshark, all IPs from pcap are extracted to text file and further can be used as Indicators of compromise
The killswitch was found in pcap that was captured while wannacry infecting the system and download link is available below
Pcap: https://mega.nz/#!h6oCBbYS!TV46RntkpyZaPZYaSpir3iutOQLBZvm4xf4t84enuHM
sha256sum: 88088077d67bd10dbc1d4bd1c240ad1a7f6c0b251bc22bcc2c6b52eba9142d2b
As per wannacry's author killswitch mechanism, the system was infected further as domain was not resolved and unreachable. In this pcap, number of unknown hosts were found
All IPs were copied to a text file using tshark and can be treated and used as automated indicators of compromise
These files cab be dumped using respective physical address of the file using dumpfiles plugin by specifying -Q option.
Further analysis like static, dynamic or reverse engineering of these extracted binaries can give lot insights about ransomware mechanism. We can also dump a desired file for further analysis and hashes of these files can be used as indicators of compromise for further detection engines
Interesting strings were found in @WanaDecryptor@.exe binary likes.wnry,f.wnry, c.wnry, messages related to payment, how to use bitcoins, APIs realted to encryption and deletion of volume shadow copies of victim.
Below strings were found in @WanaDecryptor@ binary. The files with extension must be downloaded and checked to understand the characteristics of the binary.
It's always recommended to dump memory address space of processes to check for suspicious entries in process memory rather on solely focusing on binary itself.
The volatility plugin memdump was used to dump the address space of @WanaDecryptor@ and taskssche.exe processes to for any indicators
Looking at the stings of process tasksche.exe (PID 1940), it was found that tasksche.exe started @WanaDecryptor@ process with command line arguments
Further anlsysis of strings revealed about how ransomware run @WanaDecryptor@ process using script of operations, setting up registry key for itself in Run key for persistence mechanism and killing few servies like DB, MS Exchange etc .
Looking at the strings of @WanaDecryptor@ (PID 740) process dump, It was found that the malware use TOR hidden services for command and control. The list of .onion domains inside is as following
The onion domains are as follows
This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)
WannaCry
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Discalimer
- You are dealing with real malware samples
- Don’t expose them to internal networks or internet
- Analyze them in a controlled environments (sandboxes)
- We are not responsible for any consequences of damage if you fail to obey the rules
sha256sum: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
MemoryDump
sha256sum: 76e8be1a3761878325fdff39a5ab1ff84922a0b18947e5268dd9175795ad2bf0
Sample: https://mega.nz/#!Au5xlCAS!KX5ZJKYzQgDHSa72lPFwqKL6CsZS7oQGbyyQrMTH9XY
Analysis
Six-step investigative methodology by SANS (digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf)
- Identify rogue processes
- Analyze process DLLs and handles
- Review network artifacts
- Look for evidence of code injection
- Check for signs of rootkit
- Dump suspicious processes and drivers
- strings
- peinfo
- pestudio
- virustotal
The only one URL with unknown strings in it was found and later discovered it as a killswitch. Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this: If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack. Later security researcher from MalwareTech found and activated the kill switch by registering the web domain and posting a page on it
The above indicators says that wannacry can drop binaries on the fly to run different tasks on system and let's hope to see these process in the upcoming memory analysis.
we can see few more interesting strings related to Mutex creation on on infected system and also granting or modifying discretionary access controls on infected system. A strange password type of string 'WNcry@2ol7' could also be spotted
A further deep dive into strings shows various files with .wnry extension. A Dynamic analysis can only help understand these files.
Let's assume that now we have only memory dump in hand and no more evidence of Indicators of compromise available. Using Volatility we can uncover memory resident artifacts and reconstruct the timeline of activities done on infected system. Start with volatility imageinfo
Run pslist command look at running processes at the time of acquiring memory. It's always good to have knowledge of native windows related processes so that the other processes can be easily identified
PID 1940 initiated PID 740 and both processes look completely strange and also tasksche was spotted in strings of wannacry binary. Running psscan plugin will also list all processes including terminated processes, which can help us identify process hierarchy and the timeline of creation
and if we sort process creation time using sort It would be easy to understand timeline of process creation Below unknown processes can be considered as suspicious
looking at the order of process creation taskse.exe process was created before taskdl.exe process but still no idea of what these processes do. Below are the results of famous search engines about these processes
These samples were already analyzed by giant threat intelligence and AV vendors but, in reality lot of new indicators can be uncovered in short time when it comes to unknown threats
Run dlllist plugin to identify process DLLs and path where the process has executed from, this can give clear understanding of malicious processes if they are run by dropped binaries in uncommon folders.
Identify the path of the binary for process tasksche.exe which clearly looks uncommon and suspicious. It's recommended to look at the DLLs loaded to understand the characteristics of the process like encryption,regstriy modification and socket creation etc.
Process @WanaDecryptor@ with PID 740 also uses the same path of process tasksche.exe. Based on DLLs loaded by @WanaDecryptor@ process, it can perform socket creation (Ws2_32.dll), high level network communications(WININET.DLL), querying registry(ADVAPI32.DLL), encryption (SECURE32.DLL) and interacting with browsers (URLMON.DLL)like internet explorer etc.
Looking at the handles of PID 1940, It has created a mutex (Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware) named ''MsWinZonesCacheCounterMutexA''
A quick search for this mutex on google gives
Mutex "MsWinZonesCacheCounterMutexA" can be one of IOCs for identifying infected systems. Like mutex as one of types of handles for any process, volatility handles plugin can also identify File, Key, Event, threads and port type of handles for any process. A quick look at files accessed by PID 1940
It's recommended to look at Key handle type for any process which can give any insight about registry changes by that process. Below are Key type of handle for process PID 740
No persistent mechanism was found yet, it can be identified by printkey plugin by accessing Run, Runonce, Winlogonkeys, BootExcuteKey, startup folders and services key
Network related artifacts can be identified by connections plugin for active connections and connscan plugin for terminated connections
Sadly, no connections were found. Since memory dump can also hold some network connections, we can use data carving tool bulk_extractor to extract network connections from memory . volatility ethscan plugin can also extract pcap from memory dump
The extracted pcap was opened in wireshark to see any killswitch related domain name and other netowrk connections. Unfortunately there was no killswitch found in this pcap (extracted from memory) except few unknown remote IPs.
Using tshark, all IPs from pcap are extracted to text file and further can be used as Indicators of compromise
The killswitch was found in pcap that was captured while wannacry infecting the system and download link is available below
Pcap: https://mega.nz/#!h6oCBbYS!TV46RntkpyZaPZYaSpir3iutOQLBZvm4xf4t84enuHM
sha256sum: 88088077d67bd10dbc1d4bd1c240ad1a7f6c0b251bc22bcc2c6b52eba9142d2b
As per wannacry's author killswitch mechanism, the system was infected further as domain was not resolved and unreachable. In this pcap, number of unknown hosts were found
All IPs were copied to a text file using tshark and can be treated and used as automated indicators of compromise
- tshark -T fields -e ip.src -r dump.pcap | sort -u
These files cab be dumped using respective physical address of the file using dumpfiles plugin by specifying -Q option.
Further analysis like static, dynamic or reverse engineering of these extracted binaries can give lot insights about ransomware mechanism. We can also dump a desired file for further analysis and hashes of these files can be used as indicators of compromise for further detection engines
Interesting strings were found in @WanaDecryptor@.exe binary likes.wnry,f.wnry, c.wnry, messages related to payment, how to use bitcoins, APIs realted to encryption and deletion of volume shadow copies of victim.
Below strings were found in @WanaDecryptor@ binary. The files with extension must be downloaded and checked to understand the characteristics of the binary.
It's always recommended to dump memory address space of processes to check for suspicious entries in process memory rather on solely focusing on binary itself.
The volatility plugin memdump was used to dump the address space of @WanaDecryptor@ and taskssche.exe processes to for any indicators
Looking at the stings of process tasksche.exe (PID 1940), it was found that tasksche.exe started @WanaDecryptor@ process with command line arguments
Further anlsysis of strings revealed about how ransomware run @WanaDecryptor@ process using script of operations, setting up registry key for itself in Run key for persistence mechanism and killing few servies like DB, MS Exchange etc .
Looking at the strings of @WanaDecryptor@ (PID 740) process dump, It was found that the malware use TOR hidden services for command and control. The list of .onion domains inside is as following
The onion domains are as follows
- gx7ekbenv2riucmf.onion
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
The bitcoin address is
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
All dropped files were dumped using dumpfiles plugin and these file hashes can be used as indicators of compromise or ingested into search engines. YARA rules are also in handy to write your own rules to quickly prevent or identify ransomware infections
Note: All these types of indicators can also be quickly identifed by dynamic malware analysis in a sandboxed enviornment but, the objective is to how to levarage memoryforensic techniques to unearth the IOCs.
Timeline Analysis
All memory resident artifacts have metadata assosciated with them,Volatility supports various plugins to create timeline analysis of memory resident artifacts. The plugins timeliner, mftparser and shellbags can help create timeline activity in a body file format which canbe further ingested to mactime utility with proper timezone.
The above screenshot is just a glance of timeline activity and it's evident that how taskdl.exe and taskse.exe were involved in infection process
Highlighted IOCs so far
- tasksche.exe
- taskse.exe
- @WanaDecryptor@
- taskdl.exe
- ivecuqmanpnirkt615
- icacls . /grant Everyone:F /T /C /Q
- WNcry@2ol7
- MsWinZonesCacheCounterMutexA
- MsWinZonesCacheCounterMutexA0
- Global\\MsWinZonesCacheCounterMutexA
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw (bitcoin wallet)
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
Dropped files
- a157c3437fa6b0174fec1acc754b3a6a
- 4fef5e34143e646dbf9907c4374276f5
- c523cdfa774ddabfb3dc47f9ed945698
- 81b21441a1c703d9840b377c2b0324d9
- 736109d6b23d924c9a32d721d6bb4c7c
- 6093efc815be21e4f4188af1267a8e33
- 6a3a34a2ae65ca4b37047130ffe4d60c
- d7e5d5c54e3974e9e406fbc23116ce3a
- 2efd94af98dd9fa9e6193a003af403e1
- b1ce4e545e7a2d3e0bcffcd0e0b95d34
- 8495400f199ac77853c53b5a3f278f3e
- 508b42d5483a704264fa2b1dc8592b8d
- b7a339bdf4afee4fd8aefee46a22b4a1
- ebb126f0cbc7c12487a3838a126b5e30
- ecc538b01d7bae3dc562fa9bd0944c23
- 4fef5e34143e646dbf9907c4374276f5
- dbbe82485c0402c219997634de6d71e1
- 7bf2b57f2a205768755c07f238fb32cc
- 3aee8a479a419d8cad7bfae88265bc4a
- 8495400f199ac77853c53b5a3f278f3e
- a2e9772752850311a57560a47419a240
- 6c7fa29e6df721eaaf2e9d409af59fcf
- 84c82835a5d21bbcf75a61706d8ab549
- 134.119.3.164
- 199.254.238.52
- 213.61.66.118
- 101.190.120.20
- 103.135.87.34
- 105.228.80.118
- 109.120.147.113
- 112.40.73.231
- 114.132.163.140
- 115.120.39.62
- 117.231.163.128
- 11.79.216.11
- 118.92.63.58
- 119.160.53.6
- 121.243.24.243
- 12.129.160.42
- 123.110.234.142
- 130.29.42.75
- 134.119.3.164
- 134.5.37.219
- 134.65.66.122
- 135.156.126.225
- 135.3.230.156
- 144.254.232.99
- 149.117.67.192
- 151.181.122.70
- 152.238.59.112
- 153.80.51.4
- 157.108.135.161
- 160.247.148.100
- 160.8.72.162
- 162.143.222.92
- 162.81.94.159
- 16.40.254.133
- 165.157.85.152
- 169.29.159.20
- 171.147.178.215
- 173.72.110.26
- 174.63.138.67
- 179.99.16.26
- 18.228.201.11
- 183.247.221.96
- 183.7.58.127
- 184.31.24.7
- 185.248.216.1
- 18.79.199.205
- 19.138.13.9
- 192.3.24.55
- 199.254.238.52
- 202.40.165.77
- 205.85.82.96
- 206.74.108.93
- 207.103.96.26
- 209.62.155.245
- 213.61.66.118
- 214.246.133.99
- 2.1.73.221
- 218.104.184.247
- 221.56.68.76
- 22.217.48.117
- 223.109.158.202
- 31.20.234.160
- 31.7.66.212
- 32.148.163.190
- 46.167.196.104
- 46.216.113.45
- 46.235.25.138
- 5.142.148.18
- 52.245.218.43
- 54.130.143.214
- 54.130.49.104
- 61.173.44.137
- 65.8.152.213
- 69.202.254.47
- 7.114.11.198
- 7.184.139.167
- 73.18.6.102
- 74.161.161.67
- 76.114.18.217
- 77.112.46.246
- 78.179.218.189
- 79.118.202.221
- 82.173.188.249
- 82.212.160.235
- 85.9.72.43
- 86.77.117.202
- 88.236.147.189
- 92.181.3.156
- 94.242.5.58
- 95.130.11.147
This is just an explanatory post to levarage volailtiy to gather actionable intelligence in quicker manner
Good work Donny.I just want to ask, how do you get the memory dump that includes all files dropped by the binary?. Since if I run the tools to dump memory it will dump it in an instant as a whole and will not let me specify when to stop dumping. The binary drop files and the deletes it so I need to get those deleted files somethow.
ReplyDeleteI just executed the binary in VirtualBox XP and I dump the memory by using vboxmanage. What tools did you use to dump memory ?
ReplyDeleteFTKImager, WinPmem can be used to take dump.
DeleteThanks.
please share the password for dump file at vashista35@gmail.com
Deleteinfected
Deletepls can send me password for extracting wannacry.7z
DeleteEmail: ngocphucit2810@gmail.com
infected
DeleteIt's standard for many ! :)
What is password for extracting wannacry.7z???
ReplyDeletesend me email please :) i'll share
Deletenilaymistry30@gmail.com
DeleteThanks.
Thanks for the post!
ReplyDeleteMay I have the password for the dump file please? My email is yr0mem@null.net
Hi Please check your inbox
DeletePls send password here as well, m91@aol.in
DeleteThis comment has been removed by the author.
ReplyDeleteGreat analysis. Please share the password - jedi1977@protonmail.com
ReplyDeleteExcellent! Thank you for the post. I'd love to have the password as well - runnergirl400@msn.com
ReplyDeleteHi, Please check your inbox :)
DeleteNice work Mate. Can you pls share the password ? My email id is kentz.clarkz@gmail.com Thanks.
ReplyDeleteExellent! Can u send me the file dump password?
ReplyDeleteemail : jlcnate@codernate.org
Similar deal, I would like to get the password to the zip so I can recreate the work and learn a bit.
ReplyDeleteemail: msmith20@albany.edu
Thanks,
Mike
Please check your inbox
DeleteThanks
kindly share the memory dump password on :myselfvisa@gmail.com
ReplyDeletepease can I get the password for te memory dump please? socket.contact@gmail.com
ReplyDeleteHi Donny, can you send me the file dump password? My email is forfotam@yahoo.ro
ReplyDeleteThanks.
hello donny i want the memory dump password file, send to my email domirez666@gmail.com #thanks
ReplyDeletehi can you please give me password of dump to vamsikrishna951@gmail.com
ReplyDeleteHi.
ReplyDeleteCongratulations for the excelent tutorial.
Can you please send to me the password of the dump?
My email is: lf.vieira.slb@gmail.com
Thank you.
infected
DeleteHello, could you send the password to me at coolhandluke727@comcast.net? Thanks!
ReplyDeletePlease share the password for extracting the wannacry.7z file.
ReplyDeleteprajapati.jay.67@gmail.com
Kindly can you send the password mj1_mz1@yahoo.com Thanks
ReplyDeleteinfected
DeleteIt's standard for many !
Please let me know the password! and how do I run it? Can you plzz guide..
DeleteThank you for your blog. Really helped us in our project.
ReplyDeleteHi, Great write up. I have a question on one of the pieces that you've mentioned, this is regarding the use of Bulkextractor to extract network connections from mem dump in .pcap format. I tried using it but I don't get the net scanner output in .pcap format, instead a folder named pcap is created (i use windows) and text files along with xml data is found. Even that xml data does not appear to be in a format that wireshark would throw some light. I looked through the contents using excel, is it possible to help, I am doing a vol analysis of a mem dump and want to carve network connections that aren't shown by netscan. The ethscan doesn't seem to work either.
ReplyDeleteIt's not guaranteed that you have to get network connections unless the system established. check the cmdline options once again and run
ReplyDeleteHi , great analysis ! Can you please email the password to priyjan.5@gmail.com . Thanks!
ReplyDeleteinfected
ReplyDeleteIt's standard for many !
password of dump please
ReplyDeletemy email is muqaddas.noreen@gmail.com
ReplyDeleteThank you for sharing complete information about wannacry ransomware. I appreciate your efforts! Explaining every detail with pictures is the best part of your blog.
ReplyDeleteThanks for the detailed analysis of WannaCry. Hope it helps in dealing with future threats.
ReplyDeleteHi, can you give me the password for the 7z? my email is francisgutierrez714@gmail.com.. thanks very much!
ReplyDeleteasdsd
ReplyDeleteMay I have the password for the dump file please? My email is stwanwahyu@gmail.com
ReplyDeletethank for articel
infected
ReplyDeleteit's standard for many !
hey password please @ aws.ki.testing@gmail.com
ReplyDeleteinfected
Deleteit's standard for many !
Great write up. Thank you!
ReplyDeleteplease send me password!
ReplyDeletenhanpvt.ct@gmail.com
infected
ReplyDeleteit's standard for many !
hey password please, thank feyk0hesap@gmail.com
ReplyDeleteHi, I would like to have the password for the file, my email is riotcbslayer@gmail.com
ReplyDeletePlease share the password for extracting the wannacry.7z file.
ReplyDeletephoe.n1ecks@gmail.com
Hi, I would like to have the password for the file, my email is jbc0729@gmail.com
ReplyDeletethank you
password please. osintlabworks@gmail.com
ReplyDeletethank you
infected
DeleteHi, can I please get the password? Thank you! Email: alphas.innerhalb_0h@icloud.com
ReplyDeleteHi can i get the password of the zip file? tq email : kusatotan2000@gmail.com
ReplyDeleteYour blog contains lots of valuable data. It is a factual and beneficial article for us. Thankful to you for sharing an article like this.Hire A Professional Lottery Hacker in Usa
ReplyDeleteIt's great that you provide this learning resource. A bit disconcerting that you require that we provide our email address, here in a publicly available forum in order to get the unzip password. If we are required to expose ours, perhaps you should expose your too.
ReplyDeleteThat said, can I please get the password for the zip file. Please send it to: kmarshall 'at' neumont 'dot' edu?