Malware Analysis Report

2025-04-13 22:35

Sample ID 240325-bgx6csbh26
Target https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0
Tags
wannacry discovery persistence ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0 was found to be: Known bad.

Malicious Activity Summary

wannacry discovery persistence ransomware worm

Wannacry

Deletes shadow copies

Modifies file permissions

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Enumerates physical storage devices

Modifies registry key

Views/modifies file attributes

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 01:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 01:07

Reported

2024-03-25 01:14

Platform

win7-20240221-en

Max time kernel

380s

Max time network

381s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD526C.tmp C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jfaipnfbp319 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1720 wrote to memory of 300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 2792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 300 wrote to memory of 564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.0.729851781\1796695860" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1196 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2916fdd9-305a-4655-a7d5-7119ce453292} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1292 10db1758 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.1.1181955896\1148128941" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dbb9e70-6db3-4e69-8f78-384763dfbca7} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1508 f8f9258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.2.279107316\243252357" -childID 1 -isForBrowser -prefsHandle 1860 -prefMapHandle 1792 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6534e8e-f93b-4b37-a3a9-0de3b10dd3b5} 300 "\\.\pipe\gecko-crash-server-pipe.300" 1736 19dae658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.3.1394386799\129361129" -childID 2 -isForBrowser -prefsHandle 2824 -prefMapHandle 2816 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d756d127-0ab3-4c87-99fa-e91303ed25cf} 300 "\\.\pipe\gecko-crash-server-pipe.300" 2836 1ccbd658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.4.307832755\2018573735" -childID 3 -isForBrowser -prefsHandle 3612 -prefMapHandle 3464 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e938cce1-8248-4064-8f8b-bddd364dadd2} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3624 1ecc9e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.5.1313166653\917025160" -childID 4 -isForBrowser -prefsHandle 3732 -prefMapHandle 3736 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f1e47d1-55fb-4de3-8d2a-11128098413b} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3720 1fdc7758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="300.6.774869236\1186233408" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40757406-6178-437c-8858-a949b1086f4b} 300 "\\.\pipe\gecko-crash-server-pipe.300" 3884 1fdc7a58 tab

C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c 248731711329072.bat

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected] vs

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe

TaskData\Tor\taskhsvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jfaipnfbp319" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jfaipnfbp319" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

@[email protected]

Network

Country Destination Domain Proto
N/A 127.0.0.1:49186 tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 github.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 44.230.91.85:443 shavar.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:49193 tcp
US 8.8.8.8:53 github.githubassets.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.22:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 140.82.114.22:443 glb-db52c2cf8be544.github.com tcp
US 140.82.114.22:443 glb-db52c2cf8be544.github.com tcp
US 140.82.114.22:443 glb-db52c2cf8be544.github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 140.82.114.22:443 glb-db52c2cf8be544.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
N/A 127.0.0.1:9050 tcp
DE 5.199.142.236:9001 tcp
DE 193.23.244.244:443 tcp
DE 193.23.244.244:443 tcp
FR 163.172.35.247:443 tcp
N/A 127.0.0.1:50550 tcp
CZ 31.31.78.49:443 tcp
DE 131.188.40.189:443 tcp
DE 146.0.36.87:9005 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.212.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-5hnekn76.gvt1.com udp
GB 216.58.212.238:443 redirector.gvt1.com udp
NL 209.85.226.10:443 r5---sn-5hnekn76.gvt1.com tcp
US 8.8.8.8:53 r5.sn-5hnekn76.gvt1.com udp
US 8.8.8.8:53 r5.sn-5hnekn76.gvt1.com udp
NL 209.85.226.10:443 r5.sn-5hnekn76.gvt1.com udp
N/A 127.0.0.1:9050 tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\datareporting\glean\pending_pings\e80a409c-48ff-427d-ae57-4e1cafa23baf

MD5 5aead7d5a2b0184fdef64e6243895523
SHA1 68eaaf450c7b9708628eda55bc2a33779cfcf547
SHA256 0cbef827ab85d4045854cfcee2718fd20b32f5ed02e06a5365fcad4822d0998c
SHA512 5fd800b564f7ad781ea542eed4c4ae408a41cb388411d88965659c6847d432e704f7868a06117c319ff92680a0f5ec1829753ba11656aee170634984e5422f6d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\datareporting\glean\db\data.safe.bin

MD5 bb568dc8b809c471ef1c296db4157216
SHA1 41152a14ed9abd9631c8f9ff1a44e97f0886a634
SHA256 6d06fe6f3c2d0e3e25937da0372df3b9096ea67306376a147d2983fef4176ab6
SHA512 440521bcb2b0c86548e3745b51db1ab9d8afafb6c78b20fe354ad5fcb999ee815649a263d8e491215894423bc7e5a4ef6497f42224e55b3a71352adb6120a127

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 08bc7216948b4f8d9ac9a2c7d24c05bc
SHA1 22a60e549dfb0af87644a6d2942cd6a3a87503bc
SHA256 442eb57c31d28f879947de918e6be263155deebbf6197ae3bfc57aee75ad568b
SHA512 8a03e3e2f345a3e4c09f3cc8412dba4ee72b259aaf99d0a3326cf07215fba804b4f0e55237548881e33a195c79aaee462ab6e06ca8b6f5e3a9d6b9e7262e991b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\prefs-1.js

MD5 86870e2b22a5b76b483c8c5d1c9443d3
SHA1 6b11e5fb32b35af3371163cfe3da7b7e97a392c2
SHA256 5e7f345aac9b0450b6d8ff6648fb393e0f7a105bca6a13a01b20a0f3a0e0d5af
SHA512 a37c3df01bc42647a94b33d41b7751edc440e811d9766db4ff4492bd9ffa13877a4c7b4bfe39e974a9869cff1633834a00db0589a490c4b104d503622b2b87d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a8de8d534d41a068e7918d872c721414
SHA1 5b102e367a95c4333b8f64de46340ab1fb8305f2
SHA256 cc8f23e0e958352abba89949e933f86b7acf9ff7bd5efdd739e4b11f203c9da9
SHA512 123aa40ec69bccb1bf1858d1eadc890d725ce70bd51baadbb7add9de97483779e8d791af39c32695c54c72f4780816585215163478678e6d6de9d9c15ee3d074

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\prefs-1.js

MD5 ad6581bce25c68aa5490310426d886b2
SHA1 e831f4f652ceed624b89a994805441e916258264
SHA256 f15d7667e0073a6a8797fab6d6de48f5c770d2229674ce251f6c175ab07f8511
SHA512 8efcfe36e84c505fee3adeeceab39f3e3480eaaaff0a1493548770547e1ca001b5df22c7309e8888c13effac856e33054ba459e184697bb150e9eb9d9136d701

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4d97ba96a3dc173a77e152aa81d7361f
SHA1 83f2b8f4e50deba9d79cb5d23c63eedcd5c3b601
SHA256 715c2e81697d925a83ec26e98dfad9fbd4c577acf7f66d430a02d6d5b8126c27
SHA512 4d65bde064be4502a587a9cd15b58dde9eec7caeee2c5fbe9b07088fecf91a6530503d431c754acb0126e8764dd3212c30c6692b67ce72467c21919f8ae6632e

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 efe76bf09daba2c594d2bc173d9b5cf0
SHA1 ba5de52939cb809eae10fdbb7fac47095a9599a7
SHA256 707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a
SHA512 4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a98e1f459c473db3656a3f0c1e50e867
SHA1 bc69df544b02f69eeb1a1d1fc23942f3c6dbc612
SHA256 6725167ef55148b256582626e05be5461a536a451a41727095eb6b1e30f4e737
SHA512 88775647172091335d986ca7290d8ea1fce2ac01da24b410adbe291f42b25ef1d22f0e82f5fb6c94f1bb42b11eb36151379e9772ccfaf3525f9fa8af49d7ef1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 412b6c4e1e47f6568e3873cb7bdd8fee
SHA1 e951ddac1a8db23e08aebb6079d3059973837efd
SHA256 a0f2b23ed99578bcbb1f8a0fdea37763baf4779dce7665a9a2a5c2833fe04453
SHA512 b3a893712fcced29329bd8e91eb86f7dfaf3a38f70baaa95b2255c2be5bd090e5e56c9611ffea9cd9490a6445f2dd7042c66a1da772a9e9f8a5116d0eb1a1973

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\12690

MD5 880741e99c11eae303f703d21852e530
SHA1 7eb704ce47f9447be5e78a1877640533756312a2
SHA256 c29c77a2988fd73817d469c8958ecabdf49e89d9f56baef3c8f975d1b3ed235b
SHA512 13daa17285739c607b1d172fe7d4d19297f5ee59dca17304f43e87e9481f81604fa9cc85d4c4f919e0aef29fc0747b1429cec918cff547029d96ab0a038e02be

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\13846

MD5 bc3d47f86d4d0937070c9e498564d483
SHA1 2407219467cf6bd798a0cb63ce5b382db6406e05
SHA256 49c4c4cb61f487a463738fca087aff2ae6af1e0cced5248f34a23a134f0fe057
SHA512 523f0e18f4efdf87664b91b96ae45b44490e6027ecbab3e821c0b3a9f21824a5620d822d72ab7bb5092db2943fd1d962487ff19a5f289cc9c2e468a70e44b05d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\13622

MD5 27e18d90155c548ced7ff925663415a9
SHA1 5460c620e25343e0f6a672cffecdba935dcfb398
SHA256 fa8713b08812d24e45ba7139692d6d853b888bad26efa428a1b143ba1a34efed
SHA512 51660c526805007018ff0e8fa976edf8cb881d8a30834d804f5ba1f5816d4e62b99bd36fe2b88303024beecce158e8fadca053beb1b63c69037e780c07cc50e2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\30025

MD5 b4b169f15e62366fd9efe67e6447fc2b
SHA1 4f20cd3a3eebf4b5cd5b737d1a6b976b565c0a4d
SHA256 dd14acf1dafece219966358225696a62a4d9181495c079bded25be44306614f5
SHA512 c29f29bd6215ec2c67bb5b61a261bda7ec8e341885e3c34e824256c3f6ba47665f69ac0d970d853c628e4b3796e21a5c0d91c7db2269b1dd2ba367b73ff10c1e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\12724

MD5 06f9ec5c2948c966d8081dac038e2e38
SHA1 0ec8bd6a7a34985428d45f41b45601e86f91a67e
SHA256 79c4e1979c614a0c7d4f38fb5c672b815bf3bbbda650e17d21690264818978f2
SHA512 fcff95099085cf7fb6f173f7bc0a13f98dc2e29cc98b64ae39d7b40eea1d626e0f589dc16bebdf3e7801957ab7c0a98629eb9b1fdc5dadf5ba31bc152d7f3fdf

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\24776

MD5 434bc15424c94a67d08d85914eb7d64e
SHA1 07f697c98b07b636e30cb8960afbf39a3fabe804
SHA256 65cacc19c3a0457168957bce14c96fc182d589cd01ee197627fda505a19d8a48
SHA512 6bb1760fd5fbf3aa963f2c8469e5ceb9fca6b522c8cc610ddece8207206cc705bf5bfdcbbcc5cdf09ed958edcdcd7a2efb88d740af1fa18fd43329b8a568bfe0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\12276

MD5 d8e7077a9f3b5652a9fe1ea70b65c860
SHA1 1e8d99e46b8abfe9cc6ed16f5ac6eabbe8ad488b
SHA256 bcd019003b6fb8ac71b56c653c64017c9aec6b196612d7a109742e21c5c295d3
SHA512 ad7ad05b561272b7bf53a61092856ac71107ab6504a4f279a58c516980b5717f40c71afd94c1a0523dd4e22c03231a3a966c60c5407044a839a6f82767b684f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a9d15c7421749f0194460376e5aef926
SHA1 6183ec58cb0b29239983e106a76d60b3363b6bc2
SHA256 1913a94fc3dca1aa427c0b6566e43d1c3aa5f405fe982af7cdbb5fd36ccf9f41
SHA512 50f4c11e90601021beb466b7fbf1807c028f22b626c1e51466f87c88a31afdbeb9071a8ddada42eddfa19dab0bd2d75942e0ade432733a49d152145d92e7c6b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 073915eeae61179904b5710a0f141ee1
SHA1 69640ec5f7995d0861a74581afb1cf7927aad435
SHA256 a55dbdef4c17c300d6b015ccceda2d05ab91b0326a8537cc31f3a7c293f1c044
SHA512 c1a5333b75f8abf948b56388278183174565e78b128d7eb58ff34d8ea844f378264517a975f296c23258e59fc75a8af93ec0c8b18b87815a93aa34ef7f301e4f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ed33f83ab8742e20946936397dd75472
SHA1 2e2c17cad852acc9f6a1500274e6a49f699c4d56
SHA256 9c0d8327db86c8679df580a6a6407b8f398bf114a0189254169dc00bd7481ba8
SHA512 5dd2694103f375fa1f7e8019bdb01bb19634e2f7a3ff14592d8f03ed37895658618101b22d048059441d4c3c88ed54d5ca77b7243ea453266a05c5291dd8c3bb

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_romanian.wnry

MD5 313e0ececd24f4fa1504118a11bc7986
SHA1 e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA256 70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512 c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

C:\Users\Admin\Downloads\Ransomware.WannaCry\u.wnry

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

MD5 8495400f199ac77853c53b5a3f278f3e
SHA1 be5d6279874da315e3080b06083757aad9b32c23
SHA256 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA512 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\Downloads\Ransomware.WannaCry\t.wnry

MD5 5dcaac857e695a65f5c3ef1441a73a8f
SHA1 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA256 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA512 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

C:\Users\Admin\Downloads\Ransomware.WannaCry\s.wnry

MD5 9825f4747e1cacb9d205666b4c1d386e
SHA1 a22245b29937135633a6e4892b0a10f14c342963
SHA256 0d9d13fc8777b214a40551f4f2f99766f2f0bb3d89371b221c9341c6af5e0f4c
SHA512 1ef9afe9369023ae0e0488fec14b91ec0736a50dcb950fa1ddb74e2f95a69e9a6191aefe1c186e69dca3778a294f4c6111161eb5049883994aa6127505c3612d

C:\Users\Admin\Downloads\Ransomware.WannaCry\r.wnry

MD5 3e0020fc529b1c2a061016dd2469ba96
SHA1 c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA512 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_vietnamese.wnry

MD5 8419be28a0dcec3f55823620922b00fa
SHA1 2e4791f9cdfca8abf345d606f313d22b36c46b92
SHA256 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA512 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_turkish.wnry

MD5 531ba6b1a5460fc9446946f91cc8c94b
SHA1 cc56978681bd546fd82d87926b5d9905c92a5803
SHA256 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512 ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_swedish.wnry

MD5 c7a19984eb9f37198652eaf2fd1ee25c
SHA1 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256 146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA512 43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_spanish.wnry

MD5 8d61648d34cba8ae9d1e2a219019add1
SHA1 2091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA256 72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA512 68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_slovak.wnry

MD5 c911aba4ab1da6c28cf86338ab2ab6cc
SHA1 fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256 e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA512 3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_russian.wnry

MD5 452615db2336d60af7e2057481e4cab5
SHA1 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA256 02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA512 7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_portuguese.wnry

MD5 fa948f7d8dfb21ceddd6794f2d56b44f
SHA1 ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256 bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA512 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_polish.wnry

MD5 e79d7f2833a9c2e2553c7fe04a1b63f4
SHA1 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512 e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_norwegian.wnry

MD5 ff70cc7c00951084175d12128ce02399
SHA1 75ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256 cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512 f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_latvian.wnry

MD5 c33afb4ecc04ee1bcc6975bea49abe40
SHA1 fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256 a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA512 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_korean.wnry

MD5 6735cb43fe44832b061eeb3f5956b099
SHA1 d636daf64d524f81367ea92fdafa3726c909bee1
SHA256 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA512 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_japanese.wnry

MD5 b77e1221f7ecd0b5d696cb66cda1609e
SHA1 51eb7a254a33d05edf188ded653005dc82de8a46
SHA256 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512 f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_italian.wnry

MD5 30a200f78498990095b36f574b6e8690
SHA1 c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA256 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512 c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_indonesian.wnry

MD5 3788f91c694dfc48e12417ce93356b0f
SHA1 eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA256 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512 b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_greek.wnry

MD5 fb4e8718fea95bb7479727fde80cb424
SHA1 1088c7653cba385fe994e9ae34a6595898f20aeb
SHA256 e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA512 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_german.wnry

MD5 3d59bbb5553fe03a89f817819540f469
SHA1 26781d4b06ff704800b463d0f1fca3afd923a9fe
SHA256 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA512 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_french.wnry

MD5 4e57113a6bf6b88fdd32782a4a381274
SHA1 0fccbc91f0f94453d91670c6794f71348711061d
SHA256 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA512 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_english.wnry

MD5 fe68c2dc0d2419b38f44d83f2fcf232e
SHA1 6c6e49949957215aa2f3dfb72207d249adf36283
SHA256 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_dutch.wnry

MD5 7a8d499407c6a647c03c4471a67eaad7
SHA1 d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA256 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_danish.wnry

MD5 2c5a3b81d5c4715b7bea01033367fcb5
SHA1 b548b45da8463e17199daafd34c23591f94e82cd
SHA256 a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_czech.wnry

MD5 537efeecdfa94cc421e58fd82a58ba9e
SHA1 3609456e16bc16ba447979f3aa69221290ec17d0
SHA256 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512 e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

memory/1988-518-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_croatian.wnry

MD5 17194003fa70ce477326ce2f6deeb270
SHA1 e325988f68d327743926ea317abb9882f347fa73
SHA256 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512 dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (traditional).wnry

MD5 2efc3690d67cd073a9406a25005f7cea
SHA1 52c07f98870eabace6ec370b7eb562751e8067e9
SHA256 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA512 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (simplified).wnry

MD5 0252d45ca21c8e43c9742285c48e91ad
SHA1 5c14551d2736eef3a1c1970cc492206e531703c1
SHA256 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA512 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_bulgarian.wnry

MD5 95673b0f968c0f55b32204361940d184
SHA1 81e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA256 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA512 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

C:\Users\Admin\Downloads\Ransomware.WannaCry\c.wnry

MD5 8124a611153cd3aceb85a7ac58eaa25d
SHA1 c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA256 0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512 b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

C:\Users\Admin\Downloads\Ransomware.WannaCry\b.wnry

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\Downloads\Ransomware.WannaCry\248731711329072.bat

MD5 fe9561e52b9a2cad33eaa33fbdaee8f4
SHA1 2bc1b267837017ec84edec64e2ed5ab787a59793
SHA256 6cf7e177e05490a3326a71f20a6640edef1d92936601969df22b0ea5261b1d44
SHA512 e734e185a32b0d2109cb666c8bf217096fffb9804578b97d8b108a7edae01ab129c7e6bf20174faf67c5ec493e9ce0e98d85381017fd3b879fe7232a36430261

C:\Users\Admin\Downloads\Ransomware.WannaCry\m.vbs

MD5 cb8af050def8bd8ff07b6fece0b09530
SHA1 8faf2a240203f7dc8739952672c788a0fb2df973
SHA256 c97d8fc0de558b033cbf088ef69122addd364e65a49111aec218465549bf1227
SHA512 5ccb09d7e199f31e4a9a92621755c6514e8aae6187b6bef8aba2b6644834776941401188646dbf552639a13124285de15b18e6ff12acb57f91cb7d204cafdd57

C:\Users\Admin\Documents\@[email protected]

MD5 7a2726bb6e6a79fb1d092b7f2b688af0
SHA1 b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA512 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

MD5 4af193142a23d7a5cf8b879fe225c5c2
SHA1 1efb5aaa85d26b73cc1395cf193fa15e02cca88c
SHA256 ac4d77f7d4f0ac9b960ac7508a62ab09f4cfa981987c94af1153b63889a13a4f
SHA512 c48ce4bb3ddfc2b1d503862572fdd002e93c3d9f13cbd6b2a1f5c153b521878d73d6a58d72241094cfd9c61fe91136e30d3cfaf14358b00d45a16e296134e62f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cert9.db

MD5 5827ef10225df2b81f4529690fff3ef0
SHA1 1e90b9715b8deeac41aca334c1dc05ff0c57fc4c
SHA256 0dd4ae9df70a48874d9831ef467855a34a73d8b231b184ff309666113a6f9a80
SHA512 599a413b57c2f7ce8cdea1270638067c008d4fcec2cc73e77cecea18d2718baf325f73471ddf283cd4dbc73482407311ff4a769878f218167ac34c43a52c5411

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\prefs.js

MD5 5de3fb57d774bc3ffad3efcbe63736d9
SHA1 313a626c4216bc63ba96a31f8916cad958b87d72
SHA256 f680132407aa454ebe7e4f86b776a8edf0e1e6b86b6abf1b63a877e13bae3d2d
SHA512 73eaddb48d452f33a86d242edbe6304676ccbc21e1307cb896f7be4417beee30f43983820b7ea8cabe7e1be58603c6b5ce41144c213fd6ea655a74d5f3f020e3

C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

MD5 124a6daa8f12ae60361f07e2d775632c
SHA1 18c77dc913c9a772d716095745474ace2a942062
SHA256 cd50b6bbf4c4b7da4f8ab126c70115d1457f582502a2cf92c33a77d4e00c326a
SHA512 ab102cf8ed40e56c7b2d37a7ff2902eed134a31e413f319810031b07f46ba3edb67d7b2fe5610d9f07b89ff2c423f7e5b76fea51d0b80c5cb54789c68ee2f084

C:\Users\Default\Desktop\@[email protected]

MD5 53fb1d62714701be9d91f4dc81adb5ee
SHA1 e8f89fe3d8d4334fb9885e8f3b3020df6637f822
SHA256 81e8e90c50c419b13344f973331066f86cb461ce15d551a353f9ab52f5533efc
SHA512 5dc31512e1c0fb41ae9202c1efbaacf72a43c1c0892b0c93b2c503ba8035ae285d66c0b17c0d3873e64057957b52ac0554c57fb60483a1cef19546e4a609d8ff

C:\Users\Admin\Downloads\Ransomware.WannaCry\00000000.res

MD5 98619914cc3541360ae009df574f732a
SHA1 31257b52df1404db3baafd580664ba5bb6011492
SHA256 73f067ddeb0e4d0424e44ae5dd0bd201acd0732d62ede377824ccae33943f208
SHA512 147c9b935f02909b53ac3802916b802e4a395c668b1f198009f7702c91658a193732b2ea4bad83383fa73e90bde53d439c4e28f4896df8e7dc9a01883e14a7cf

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe

MD5 11aa1716f7f0628978ada7c005fc8dfc
SHA1 c09e6269690670929f52ded956297a88c0059acc
SHA256 11f8e105ce8531d59d1be155644da43eb34f2a2d4dfaf19517eb73ef77236b42
SHA512 2deab0fc5791d44188adf6ed9ba9fa930d3bab9eb471c43b6322f07f0040278366b8a814a04ff8102c195efcf67c8092c138a18b297ee3ce862282181be2c899

\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe

MD5 e8296d4dd0793727d417719c73a0832e
SHA1 09705b13cf6af5f8563f29f9663ce33a55a63b12
SHA256 e97c8dfe162ceabfb6cf13a88035ec98d589aaf5fbcf69297ed0fb0c72f461a4
SHA512 609face3d63d6c8b2c089f7c7e7e30533d67649af2e7983df833a6da136e6fae222c1e99b01c750546a495ba9de932e1c5bac9b800711789ffb073d58d1d9928

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe

MD5 17877328d73cddfdfd7aaf753c627f40
SHA1 a2b093d15d58e334b5197484dfe23487ea26b5da
SHA256 c516c9d3e7115ad3a23625011c3abc7f27e994092d29a094467c9c2f2d867d07
SHA512 a575c8270eb475dfe40458e39a4cd1b4b68f0213a0bd070653139dc2466d72e2df99ae89e1f3dff076e060a4fbdf6d667411f538652adf00069268fb81a18b68

\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe

MD5 bc9939f81052ae53cee66bc618611310
SHA1 9942aa44c078931c88ad9d7b0f1bab4edb956ad3
SHA256 a869d61e86f8998f025b71df375d1bdbc65414875c30ba6bb8c9d4b535020aaf
SHA512 f71ea69b54514765fa30608d3312724aa3ba55535f49afbb96a476ddcdb4c396ba1f1da9870c67fdb8e803451a7d25c803dfcbead339dee0f9768fb5bb0cc49a

\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\libevent-2-0-5.dll

MD5 980c120721a389d5930df56cf8c5067f
SHA1 e7a259accc3cb2d47b202fbd4ab6e73fe9d9f162
SHA256 7b9ec817e163211c46edb8af15aa2c55206af9edd7c1384e58873c2d67dadd5a
SHA512 a184a43151b69a5c7c8204c6b58d9b9644bdb7dc422141c2c5896cfb029c46fbe85a1d419a908674e1d73add2800aa29080476f3ee58e16bf0b9b528417a5ad8

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\libssp-0.dll

MD5 78581e243e2b41b17452da8d0b5b2a48
SHA1 eaefb59c31cf07e60a98af48c5348759586a61bb
SHA256 f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f
SHA512 332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\libevent-2-0-5.dll

MD5 923b06e11b9e9c6d1a28ce219f3799b6
SHA1 fd554180ecc577c72232168739580018b955bb56
SHA256 d98393f29e499002d9796a7d997482c4372d55550c1775ff09b760319e89020e
SHA512 fc9a21e03104a1522a298ca0a9f0ad71caabd8c308eccb14a558adf07043b38a6b4d87432c951d5bf505bfa00342ce15d6f77f2cacfa4c1b029e507403744711

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\libgcc_s_sjlj-1.dll

MD5 8ec06c38c0ee8d0751043294b35a9114
SHA1 f1b1aec09f46ca2817faeeb38ae3cd702841e2b5
SHA256 fea85715a4e5f7fccb91cda2f70458c099eddf6a2d910e0395d6da345e35886d
SHA512 72f22bda1ac7eb3a225858115103629627c042c2a7aafb0e2ef9d43bde5bef41464562cc6d4a374131eb36fb53845a7d5cea5d2da7e9ff771f84bc7426e624dc

\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\libeay32.dll

MD5 1173c3db7874f5fc6cc7e90ead714aa5
SHA1 2dcff41dedce2e4fcee5e665aa5981f3a331d442
SHA256 83fd1a2803bc34c7ef02615c5dad42049fd1f3c753d47f5fedacefa57fbcfac4
SHA512 973e8caabe90eb163ca6c327f347578504451f028cc2331fb7e48e484600b2a9f5497acd489aa80df4edd9b31fff839ebedacb835df3726bdc1035f431b5fe8b

memory/872-1336-0x0000000074DE0000-0x0000000074E62000-memory.dmp

memory/872-1339-0x00000000748C0000-0x0000000074942000-memory.dmp

memory/872-1341-0x0000000074D90000-0x0000000074DB2000-memory.dmp

memory/872-1342-0x00000000748C0000-0x0000000074942000-memory.dmp

memory/872-1344-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1338-0x0000000074950000-0x0000000074B6C000-memory.dmp

memory/872-1348-0x0000000074DE0000-0x0000000074E62000-memory.dmp

memory/872-1351-0x0000000074DC0000-0x0000000074DDC000-memory.dmp

memory/872-1353-0x0000000074950000-0x0000000074B6C000-memory.dmp

memory/872-1355-0x0000000074D90000-0x0000000074DB2000-memory.dmp

memory/872-1354-0x00000000748C0000-0x0000000074942000-memory.dmp

memory/872-1352-0x0000000074B70000-0x0000000074BE7000-memory.dmp

memory/872-1349-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1363-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1365-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1369-0x0000000074950000-0x0000000074B6C000-memory.dmp

memory/872-1375-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1379-0x0000000074950000-0x0000000074B6C000-memory.dmp

memory/872-1383-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1387-0x0000000074950000-0x0000000074B6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 b3dd3402142a081b75c73efa4da6919e
SHA1 7cb59ec3cca45ce4179870ae34308b8fa9fd419f
SHA256 7beac8cc4e40ee20b5ceb01c204b18ce8a9af3196a4dca53ded020ddbe7aafaf
SHA512 2d1d585824564a0e8e20b5459e5743945885653b46ecd4271c96978b345ed68081eea38548fc79b06e6f3c3a24bbd43bbb231d3184033f538475fc0c49e4e057

memory/872-1402-0x0000000000E60000-0x000000000115E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\prefs.js

MD5 9d5bed5fc6935af25783020426705326
SHA1 28e88ade2b0224f800796e4d4859397448b5e180
SHA256 81f718c94f42939089c1e57e12d17012882e36a13c7c90f3d1e73234fbb3011a
SHA512 42ea22676e7a8b5fe7c5c7b4737d7fca2663b63c0bee3b474c2787c4baa831590e09d97e6f8d5501772f52781201aa3c611ec43f35e2badb5f9aadb829aa0d84

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

memory/872-1478-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1482-0x0000000074950000-0x0000000074B6C000-memory.dmp

memory/872-1488-0x0000000000E60000-0x000000000115E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 7bc3d9b646b4ec6edad14f9964ba1e6e
SHA1 4732c0dd274cabf227a87d8fc28f0b9aaf718eba
SHA256 c62d7ebd51a2c04c05ded64f1ad33b5552ffe3f209d68b8b3e4655c277638f55
SHA512 3a3ed10b992a0b118d499905b2d230ffde3885705a0ea0630649cfd95ddc1520a46c483aa125efe5df78bd82490fe96babd4cad26839c2a67d75f540f9755dc6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 2d8d4d9d7a77caaea2ce4393ceab9f02
SHA1 1b52e95584f524aadc614036b647eadcb1ce7c87
SHA256 3c2bd9e46acfebde2018355a887b100427f942d6d951fcb369492551353bcb3b
SHA512 155506c2524bdde165864328a258d7035484aab0ea7b745b35b45f79391afcf2aef2c27a522f1bc8c1064f49a6a09605210dcb05c3fdc404c23f3f213a123400

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/872-1535-0x0000000000E60000-0x000000000115E000-memory.dmp

memory/872-1539-0x0000000074950000-0x0000000074B6C000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u2bjtpec.default-release\cache2\doomed\3468

MD5 ccd42fe20a3f0bfa47b059051c95d1d6
SHA1 2d67b1755972d9a178589e7fc64d948cf288be5b
SHA256 d11840130fd3539146311e653a2ff265ec62c8090186f4fd906f69e9ee8dcd83
SHA512 1b20f5b218e5ec63acabc2d79cee3b216b4bdb170d6622f0c8304d08618e600f78ed89a650cf3f2e423b9805a3909ea438116b91c3f985cbf1622f16247fdb1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u2bjtpec.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 84c8057adbeaacd9cdb5362e9f31f31e
SHA1 0c8163237286a53cf3a083915bb0bd54c9ce5082
SHA256 8ba1be7b2b0f6b1aad94b2c0715fad6104ae74fc87fa9e6e3e7448194569474b
SHA512 230ad7a5cddd210625d9dcb779011c2c9816351f3f47b88f5e4662eccc3a45652620ef7ad4e0924c2a7fc5b9a218998c418e900bde4b950561dcc0e2d94b19c8

C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

MD5 f5e762738acd46549178c195e958bdfb
SHA1 65a32c5c16bb296aee252206e219e4fafad444ed
SHA256 13f24d0cb69849410b45850f1ca422e702fe06d1347b178d815c42f8f986c5f1
SHA512 739f9faf223dac5ba9eab0bb3979d35f48a6f257b6f7a84f43375a8dbbc60d55d96ed6f52c8c143018b95aa936bd5acd1116af1f54dc88ad1bff953bd8ea02d4