wannacry | 8fcc2ea6187021758203c5f7356fdbae4377b3695dec65e52461f9be505ac541

Analysis

max time kernel
270s
max time network
317s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keyboard-event.json
Size

81B
MD5

59679eff3bfca0f9a7821de2c8fe11a7
SHA1

2b9c96a84be10e9c7c760cf5e2aba992ad37bfa1
SHA256

8fcc2ea6187021758203c5f7356fdbae4377b3695dec65e52461f9be505ac541
SHA512

ff4bdb8b808261b3dfb6ca4eb0724dca9efe9e491996ebdd35ab40a54248c2a41c23a6bbc697e7c9ecd0470d05bcf18a6978f7d67338caf3c57fd9e3c2844369

Score

10^/10

wannacry bootkit discovery persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 1 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC755.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 25 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1356	MEMZ.exe
1104	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1468	MEMZ.exe
3224	MEMZ.exe
3340	MEMZ.exe
1132	MEMZ.exe
3396	MEMZ.exe
2616	MEMZ.exe
3368	MEMZ.exe
3404	MEMZ.exe
3372	MEMZ.exe
3724	taskdl.exe
3348	@[email protected]
2092	@[email protected]
1332	taskhsvc.exe
3908	MEMZ.exe
3100	MEMZ.exe
3092	MEMZ.exe
3116	MEMZ.exe
3132	MEMZ.exe
3156	MEMZ.exe

Loads dropped DLL 18 IoCs

Processes:

MEMZ.exeMEMZ.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@[email protected]taskhsvc.exeMEMZ.exe

pid	process
1356	MEMZ.exe
3340	MEMZ.exe
2040	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2040	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
3236	cscript.exe
2040	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2040	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2504	cmd.exe
2504	cmd.exe
3348	@[email protected]
3348	@[email protected]
1332	taskhsvc.exe
1332	taskhsvc.exe
1332	taskhsvc.exe
1332	taskhsvc.exe
1332	taskhsvc.exe
1332	taskhsvc.exe
3224	MEMZ.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1764 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

162 raw.githubusercontent.com
163 raw.githubusercontent.com
164 raw.githubusercontent.com
165 raw.githubusercontent.com

pid	process
1764	icacls.exe

flow	ioc
162	raw.githubusercontent.com
163	raw.githubusercontent.com
164	raw.githubusercontent.com
165	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

MEMZ.exeMEMZ.exeMEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4060 vssadmin.exe

pid	process
4060	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11ECA069-F329-11EE-B9A1-EE87AAC3DDB6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09ff2de3587da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c550cfe76380cd49847fdd66ee4ccac30000000002000000000010660000000100002000000024329f3296a9e9e2ded1fa419d4309fe6e225d6b411113ea3abc74761d159339000000000e800000000200002000000015be42f885a2c6715d2180d9015c26791f5565d318672c3ad2c812d11e5719e620000000880ebace8d8a7c0d99787c302802b802d3529cc6da8e4368526682115b15d95e40000000ffc6498105db58badf5243ace5dbc06e089773b00e66470a68606f2aebf15fd36aa31c80da9e23aaabf3d9760506db73754913dfbed211c3b545ed768f5b3e42	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c550cfe76380cd49847fdd66ee4ccac30000000002000000000010660000000100002000000099acc2e18db061a2245d75a8f2ea7859f458d47041e4e1633273b76c85803da9000000000e8000000002000020000000c71b8c726237ccd2ddd453f506b8f709a75da97d41ef12f1e1f658a01af184b490000000f6c772f92b6b0d59c84a0453fc520c49643f5bf3706bf32b3f2323a5c088b27a16cb77bcb1304273e12ea70ca475b617e1d69438b1e417e0643c42324eaede44b4be196d9396b00956d9dbd6a7858e48fd6b3452f0af8122d65c436b0ed111d8ee19717e078003b3a4f73dc37e00addcd48a7b3d1adcf20fb919b7231555323af7faf0445caf2977ad313b2faf060d9940000000630f4fee5b247a1e84279d3a042dbf9e6fff30c3e7fc5d8708902773ce236f945be1f52fde49072f5f3aca0fd823b4cd82d80effcb3ebbf0e84475453df1a9a5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1104	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
1084	MEMZ.exe
2924	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
1084	MEMZ.exe
2924	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
1084	MEMZ.exe
2924	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe
1204	MEMZ.exe
2924	MEMZ.exe
1084	MEMZ.exe
656	MEMZ.exe
1104	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

firefox.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2832	firefox.exe
Token: SeDebugPrivilege	2832	firefox.exe
Token: SeDebugPrivilege	2832	firefox.exe
Token: SeBackupPrivilege	4084	vssvc.exe
Token: SeRestorePrivilege	4084	vssvc.exe
Token: SeAuditPrivilege	4084	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3252	WMIC.exe
Token: SeSecurityPrivilege	3252	WMIC.exe
Token: SeTakeOwnershipPrivilege	3252	WMIC.exe
Token: SeLoadDriverPrivilege	3252	WMIC.exe
Token: SeSystemProfilePrivilege	3252	WMIC.exe
Token: SeSystemtimePrivilege	3252	WMIC.exe
Token: SeProfSingleProcessPrivilege	3252	WMIC.exe
Token: SeIncBasePriorityPrivilege	3252	WMIC.exe
Token: SeCreatePagefilePrivilege	3252	WMIC.exe
Token: SeBackupPrivilege	3252	WMIC.exe
Token: SeRestorePrivilege	3252	WMIC.exe
Token: SeShutdownPrivilege	3252	WMIC.exe
Token: SeDebugPrivilege	3252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3252	WMIC.exe
Token: SeRemoteShutdownPrivilege	3252	WMIC.exe
Token: SeUndockPrivilege	3252	WMIC.exe
Token: SeManageVolumePrivilege	3252	WMIC.exe
Token: 33	3252	WMIC.exe
Token: 34	3252	WMIC.exe
Token: 35	3252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3252	WMIC.exe
Token: SeSecurityPrivilege	3252	WMIC.exe
Token: SeTakeOwnershipPrivilege	3252	WMIC.exe
Token: SeLoadDriverPrivilege	3252	WMIC.exe
Token: SeSystemProfilePrivilege	3252	WMIC.exe
Token: SeSystemtimePrivilege	3252	WMIC.exe
Token: SeProfSingleProcessPrivilege	3252	WMIC.exe
Token: SeIncBasePriorityPrivilege	3252	WMIC.exe
Token: SeCreatePagefilePrivilege	3252	WMIC.exe
Token: SeBackupPrivilege	3252	WMIC.exe
Token: SeRestorePrivilege	3252	WMIC.exe
Token: SeShutdownPrivilege	3252	WMIC.exe
Token: SeDebugPrivilege	3252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3252	WMIC.exe
Token: SeRemoteShutdownPrivilege	3252	WMIC.exe
Token: SeUndockPrivilege	3252	WMIC.exe
Token: SeManageVolumePrivilege	3252	WMIC.exe
Token: 33	3252	WMIC.exe
Token: 34	3252	WMIC.exe
Token: 35	3252	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exeiexplore.exe

pid process

2832 firefox.exe
2832 firefox.exe
2832 firefox.exe
2832 firefox.exe
2832 firefox.exe
2832 firefox.exe
3608 iexplore.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exe

pid process

2832 firefox.exe
2832 firefox.exe
2832 firefox.exe
2832 firefox.exe
2832 firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE@[email protected]@[email protected]IEXPLORE.EXEMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
2832	firefox.exe
3608	iexplore.exe
3608	iexplore.exe
3732	IEXPLORE.EXE
3732	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
3348	@[email protected]
2092	@[email protected]
2092	@[email protected]
3348	@[email protected]
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
1204	MEMZ.exe
656	MEMZ.exe
1084	MEMZ.exe
3368	MEMZ.exe
3404	MEMZ.exe
2924	MEMZ.exe
3396	MEMZ.exe
1132	MEMZ.exe
2616	MEMZ.exe
1104	MEMZ.exe
656	MEMZ.exe
1204	MEMZ.exe
1084	MEMZ.exe
3404	MEMZ.exe
1132	MEMZ.exe
2616	MEMZ.exe
3368	MEMZ.exe
2924	MEMZ.exe
3396	MEMZ.exe
1104	MEMZ.exe
3404	MEMZ.exe
656	MEMZ.exe
1204	MEMZ.exe
1084	MEMZ.exe
2616	MEMZ.exe
1132	MEMZ.exe
3396	MEMZ.exe
2924	MEMZ.exe
3368	MEMZ.exe
1104	MEMZ.exe
656	MEMZ.exe
1204	MEMZ.exe
1084	MEMZ.exe
3404	MEMZ.exe
1132	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1420 wrote to memory of 1692	1420	cmd.exe	rundll32.exe
PID 1420 wrote to memory of 1692	1420	cmd.exe	rundll32.exe
PID 1420 wrote to memory of 1692	1420	cmd.exe	rundll32.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2832	2604	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2464	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2464	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2464	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 2100	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 1304	2832	firefox.exe	firefox.exe
PID 2832 wrote to memory of 1304	2832	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3800 attrib.exe
3300 attrib.exe

pid	process
3800	attrib.exe
3300	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Keyboard-event.json
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Keyboard-event.json
2⤵
- Modifies registry class
PID:1692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.0.576805115\1522622786" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20600 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5ce4382-5df7-4563-9032-bd7b379927d7} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 1300 10ff5158 gpu
3⤵
PID:2464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.1.514153819\1128159183" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20681 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa786a5-f111-4df3-9297-61b25a667048} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 1496 e6fb58 socket
3⤵
PID:2100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.2.326125320\85376713" -childID 1 -isForBrowser -prefsHandle 2316 -prefMapHandle 2312 -prefsLen 20719 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {536b9ed4-1ae1-4bdb-b175-3714c7306efe} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 2328 e63b58 tab
3⤵
PID:1304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.3.124545557\2145124240" -childID 2 -isForBrowser -prefsHandle 1104 -prefMapHandle 2112 -prefsLen 25956 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0695ae8c-28d5-412a-b9ac-0e608b91a778} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 2696 e69f58 tab
3⤵
PID:2408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.4.2095692028\1241058299" -childID 3 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 25956 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62d731e4-9aab-4153-851d-85ec3b21c219} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 2956 e5dc58 tab
3⤵
PID:2256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.5.2076283040\461433295" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 1764 -prefsLen 26318 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ce66cdf-64f2-4f04-b841-e838a80837d4} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 3868 1f8fdc58 tab
3⤵
PID:2992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.6.815311001\934938020" -childID 5 -isForBrowser -prefsHandle 3980 -prefMapHandle 3984 -prefsLen 26318 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92315ec7-751f-4226-94b7-91b5800329c5} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 3968 1f8fd358 tab
3⤵
PID:1684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.7.733772491\1919983090" -childID 6 -isForBrowser -prefsHandle 4160 -prefMapHandle 4164 -prefsLen 26318 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bef1822c-4ad0-478f-bff4-05fde1c870d3} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4148 1f8fe558 tab
3⤵
PID:2532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.8.733802574\1024078352" -childID 7 -isForBrowser -prefsHandle 4484 -prefMapHandle 4476 -prefsLen 26652 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ba5d549-602a-42b8-94db-4eb6901785ab} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4496 224bea58 tab
3⤵
PID:2836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.9.1186429956\127973722" -parentBuildID 20221007134813 -prefsHandle 4584 -prefMapHandle 4588 -prefsLen 26652 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a528188d-b92a-486f-b2a3-5d186a225e91} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4680 22bfb258 rdd
3⤵
PID:1288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.10.1400952971\141337429" -childID 8 -isForBrowser -prefsHandle 4836 -prefMapHandle 1900 -prefsLen 26652 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa3abcc-c706-4804-9ee1-800d1b86350f} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4840 22e9eb58 tab
3⤵
PID:2340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.11.798110790\1899761279" -childID 9 -isForBrowser -prefsHandle 3716 -prefMapHandle 3492 -prefsLen 26652 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7816013-76a9-4c7e-a2eb-d96b17cd0e41} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4404 208b3158 tab
3⤵
PID:2052

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:656

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.12.397832482\936752661" -childID 10 -isForBrowser -prefsHandle 3560 -prefMapHandle 3540 -prefsLen 26957 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ee6cee2-26f5-40a9-96d9-a588faa1ac19} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 3884 22f73558 tab
3⤵
PID:936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.13.712909822\350140238" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3612 -prefMapHandle 1772 -prefsLen 26957 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3e9cac8-3067-48f1-b2c4-f65f890f61a1} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4792 f62ae58 utility
3⤵
PID:3028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.14.427197711\817325372" -childID 11 -isForBrowser -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 26957 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c34352-8f1d-4589-b49d-204bda6fb401} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 5076 f643258 tab
3⤵
PID:2852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.15.1560837731\1245627587" -childID 12 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26957 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e4e2faf-cb28-47ea-9491-6dc0c5517330} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4904 1fd44558 tab
3⤵
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.16.1291022909\1497729770" -childID 13 -isForBrowser -prefsHandle 3752 -prefMapHandle 3712 -prefsLen 26957 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce193ef9-15ac-4d86-abce-aeef568b9d1d} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 3692 20ae6858 tab
3⤵
PID:3636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2832.17.1293043591\820447361" -childID 14 -isForBrowser -prefsHandle 4600 -prefMapHandle 4488 -prefsLen 26957 -prefMapSize 233275 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff171b27-bca3-4b8d-b13c-52bd69fbbc7b} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 4552 2281ba58 tab
3⤵
PID:2352

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3224

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3156

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3340

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3396

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3372

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:3520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+download+memz
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:472072 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:603162 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
PID:2040

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:3800

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1764

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3724

C:\Windows\SysWOW64\cmd.exe
cmd /c 302381712306837.bat
2⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:3236

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3300

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
PID:2504

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:2316

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4060

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
1KB

MD5
533736889e7df6e405ab3fbf2bb37fa3

SHA1
257ff53a1c0df33b8dada5dbf924579951bff0c7

SHA256
c2e4d8a44daece67afcf85669c2aa5423c19c66d4cc4add1f099161947e5f395

SHA512
bf34f05e35175b2d13e45a399918403462a1b1440f9a95b7bd9ec92c25244679fe589e425ee37c3c33feab6c2351a59ce623d1020dea941b72850d0064cf7e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
5235ca08b5fb2c69967552d3f89df594

SHA1
f77c2227cc6dede44e687def3c0207d2162298d2

SHA256
4604c4b3eafd8fa7e1dc652fc9473f00ce184817318c494b22eb62dbcb1fcafb

SHA512
877338d6dd71c73f8e2fbd4c49ad5a07ec988ba7322f0aa0fe985a0f405a4dee4bfd928dbe98835392ff46b0f9caebc1192adcfc7b2114021e9dc317aabf4ba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c6b67466f01da2519f152a0d1a18be1

SHA1
5054cf9d06b5f5e9eeea3e8e2020aa2858ca72e2

SHA256
9a6002b36bf8639b15349d76e031b68b67502d700be1a8b2e9154f6179b78c63

SHA512
2417577109405522674b7829622a643fdb1a677bb8727fc3bb31a8494c132235be991e84331b0d3250b053d7b0341a47ed0525bf5e9d67fc2535519c344426ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d4ac5fe632a881eb33c48cb706d9874

SHA1
a162339f9e0616f468c3b3b8da02282320945990

SHA256
23daba7f84b2c785e73ce0d67e9f25475b55c16639b58a91690c387647574259

SHA512
55a8ef209fbc73d8c1ce0fde1879877c700abd122076d2f3245a3589c4d86e4776386343b36fc402753c8e33efcf1ad0665a9097dc37fc8ab154b8323d297aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d34c71a4135410df9dac1558bc917f0f

SHA1
3b7e0cf334ddb6e8985f7c220eb1bc7ce0910add

SHA256
58d0c5ff418191d841a661833b9ba0b765dea31f97e102ef121e9d94e8753cd4

SHA512
e35b78f5a988afae73c151ded1ddd69ec5975391612ac28939d7bd3defb7335574006880c43206bd8f9e0e95d2eba67adb5828322b227d67320f66f2cd9462b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
554036edf26318d0e4ddffc0709646e9

SHA1
2314970ba3f1f78899ad7954a65b78dbc1556939

SHA256
47b89937820c73c83585b54e805c16b7397ae968a0db347b74e4c254518945fb

SHA512
8e885e8f38edd7a808f7eb7b575a981c71c5ffce90a036de62bb013ff8193825769ef9f330b288b31f39c00e37335fcbd25c5661966c1c8e7523d47192be9354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e5411caabf2093d2c4d19bb81baaa38

SHA1
51dcb2062937a453f8a325a6b8ae3f9dacb12666

SHA256
9a7f3d4ba09a61f5792bc5ebbe22992fea76c66c79cba898c49101bfca528310

SHA512
d27cea08f8ad855653221f9b6d3b9f900f611238dc4dd9a98d55f54d479dc5d9f5021cd205f569cb66b21aecb2cd495a298b8d71b4c7b57d309d115304273750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5765465a87ef89bfb84a3b1f0139b83f

SHA1
59f3a6753306774af7bbc8ee427f813fde8879b6

SHA256
f651db6169c07a7ebf24b4f0c9186539693c26627a37f363b03e47eddf456ed2

SHA512
d82c1ef43700897a882f2919e09654d89f7c7f414ff2c1739881a06d2566f96e8a4d6f182c9fdefb5f03972ef2d1b656f43b58c3e044038770560276f3271112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d4d8aa56643bc8006693446bd995dc7

SHA1
c4758977ddd9364d0efd25bfa3876822f40a9e44

SHA256
0df1789f879f6c79ff6b2033d24bff97a610fd068dbb486dd1946298a495e680

SHA512
6236d0a4aca58b958bf0b9de5a91baa38b0766753c73b7111376ec954bb18c4aa950354ca4c8e2aa69fcc3381fd02937b5f5ea06c1bc458754e962cc35572704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1390a490b49b33f2ce4c2b87ffde982a

SHA1
08e60f24c5d694e2e3bb589cb6b45b188c0a2bae

SHA256
d963de5385cf1563c4b5420bd12d6cad5d247963c9dc2d6b6aef75307b57059f

SHA512
29a913f7f45dbf6c532f0b411c963fb9025f253b49d90f409ba1cb6aa72d93cf4fcd739002d7df2da4849e706467ac62f4bef2315f58bf8cd7e7b90a1a31971e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65299b5f34b14fc82e480beff866f6ee

SHA1
efe86d65d24dc3f9a062928a00e8f19ce2c454e2

SHA256
474b58a129b0b7401040b8d5311e99ac0170b09dc892eb9fda3607eea8eeda3f

SHA512
93f9f0f02a38002336dd47c3eb34e59d8a7f8ce7b23b92bc1be69030d745d7cb36157ce1875f60e3eb8d02876a2a0f91e45eb20d91e6fdc212bcbdd898ccb484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8a3f54f9dcf397a15d9389d9551c414

SHA1
0c750205a16cbef3a77a10a8b61e7a927135120c

SHA256
1f764a0e32b1ae19a30155beada6ce7d4eca5b74d2c323b0d7e1a28285c635cb

SHA512
7d93514f72707d0fe35c0e10e8652e332899a967857e4460b352da4c6bc709292761ddbcbf516cc9c2fb2034ff93f7e55dabbe4e5a92f0fa1d4204fef8250927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
498761def33a1090620043565d124737

SHA1
cbc3089ef4e38f38a405e097971bb3d0858a3508

SHA256
6159c21124f2f16d21f94d75c42645dccfb94d69093fc0fb02835a87da09e4ea

SHA512
a9301b82285e67ce945649b308d518b11f08c41a022bbec725ff76293f4b872e20cf1df44e1367c5749a63601c5a7bd845eab5da360a7e5fe3cfa6fe7d778b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

Filesize
5KB

MD5
a791a203e1f43cfb9c3490974ddcfb2f

SHA1
156e5309c886633f8bda4c394b467b0dc2803bf6

SHA256
fb297dfaeb67407405aecc26f8c7608238950e18ea8a78408c7475ab49fecf5f

SHA512
3bd0b3db03f2896815703cbdfa37523bc903129edaef5af705cdaf8d0e2bf1980075aa57931696761169b7000af08fe4efcdb5ad70c5efea5a044627799867b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NK07AEN2\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
98bb825d9fc062e4f7811bf60dc481f7

SHA1
74e6e26adf2d427548bca403778f213dd47ede61

SHA256
6bb5605afa8712628e41dd4a8b22945d2f8da5d8af5e414a51f410f7c16649b4

SHA512
afab3492ec7fe19e9dd3699a04242184f36b9d96fb872544201a1da7c07fc2218e89831f28f2255c40b1957116e347d7b7fa0ecb26d47f38f98cad1daeef10e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\10104

Filesize
13KB

MD5
befc1db12e71b65096f9511426d91e20

SHA1
c0af8959e92cb641904a815e8be24b9fe8591b9a

SHA256
2b56468ab74e6af0380871da38a6b1441e662c0ec11ae2ae32536fa8f6ca29ee

SHA512
e976bc89622066cffef1501957ca197ba92e28919b73098a13a29129dfc6309a0c554eded404011d3c0f81e4dd013c6468f6f3944c3d8745938e12bc24718493

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\10216

Filesize
12KB

MD5
657e0aa159d76897e5bbe7df9d8f2668

SHA1
67a1f215e7cf3abe0c47f00c84551af8bbaf11a6

SHA256
99f0db2cb305d0635172b306ca19691b1bf6c0c731102657798d3b413cda8d26

SHA512
bd372815e0d2d0bb4502add25c1879272a5b708d4390417886fcea79f55848dc2b45e883bedfbd168c1fb7978a0320e448adaba7616f543df890bb0c6c3944f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\10553

Filesize
12KB

MD5
0409277c389255bd71659a3e22ee3091

SHA1
fa927722a7f5dca5b4e2080a5cf3c355c5aae412

SHA256
d3770f44e7f7c57eb21f936d491f16fd5a4d4a1fbf0e362411e8e1b2d1ce9240

SHA512
1f7acb26606b52171c87b8603fa38841654ac5d846cf193c0444ca2cec93511308891572f1829da4cecf4c82a89fba98d45225b2fcfd3d9d097f92d2aba0d05a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\1120

Filesize
110KB

MD5
4e78d364acbc0236627c5c52a94dd37f

SHA1
4bbaaa1bbb98fc1b48249e0871d949fd6a26f97a

SHA256
7d50075125f5351e3f9159a409e8b903a3811bac11406705de4693b03f083b59

SHA512
4399ecc4904443813c95e156be13c62092514ad1388a8d85b9f2aa795af9429c0829c1b79b0fd69cbfb2bcd5cd9d54375d91ad30d695bc6d2f8bc69cbe7a161a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\11748

Filesize
16KB

MD5
472b61b15512f25467f342586810e89f

SHA1
fa77b5c5338f327966cd66209581cf8836d02ea1

SHA256
c7cbd1bffebfbf3d8d103c4e938858cdd7fff5f9a86b99b9973c79102c7742c7

SHA512
a046ea64239aa6635762d0ca41ba45d0ccad289f4fc2d72181cb11e71de5f098bfcef1bfb62edf047b3a207a3d997cd9d95522791f860d237744f6ea0c9a7009

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\23011

Filesize
13KB

MD5
0407c14030ad52f92163699b99337549

SHA1
44a894d26a8b026bde3656461dc9374a2cc72b81

SHA256
9ef12c29f25989e3d9e2b726faf06c8491486a62c3b748fbe5da0507c8ced42e

SHA512
572946fc7cfb8e3942c6ff262c0fa822132f6b424b4c07cd8af5a30eacbd2b343d42702f4874cdd4c9b3f28604a09022de4ed2a018bacb3794e8d90d554fd7eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\6175

Filesize
17KB

MD5
7e94b244365818adc678e5a406abd1c2

SHA1
5aaef23ea4dd327b922bc87f01725e3c0fde3396

SHA256
6398d7513aae36cb78929e176c68e20fe47bcdb038507fa1ed955a61820f14eb

SHA512
4ed8db248264f9407ce837004b1ea453670ed23e1deacac02db55d505c6e9eb2099345b2f15cfbb8f8f91d9b60aedd7b04aba627c17451679281dfd5cb522574

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\7662

Filesize
13KB

MD5
277ebb0cf04a3dfa06a5bbfd90318c6a

SHA1
73dba5c8441f7f64ff72960fb9a922892b67ab50

SHA256
1c361242113b3968d6915e2ad13e847ff260b0e0b83ac676e4469e639c3d1cc8

SHA512
79f47c11934a63cc4f341161b2bf7a422d20a1dc97ec56c31b1c782869b2bbb813180ce781dd1f2bfecd4e449dd958b499110f34b478a495d8247e4d42b3ccf2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\7748

Filesize
13KB

MD5
9f1a9386c9aadff1c35df2d179600924

SHA1
f019736cb3a9e04234065a813fd2c78f80fb720b

SHA256
0c9a96ae70312948faafb28c8fa2930b38e381d42a7d502922b6e95278b4606c

SHA512
b66d0a1bb0fdc9809ce730e7957f87e369bde6742ac94d6c15f8ad2ddb99d02990f25409764c200d5053d797ea5149f51bb655af8e0ed7289a234a7089e53181

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\8728

Filesize
25KB

MD5
673d1ca18014e44929f850f1912a527c

SHA1
a8b77fda537c4820ad4085c032f663a095934b57

SHA256
ffcca9bed095aff4e7950a9546328c9350ccc577d42ca0926b0935e6552c9e5e

SHA512
a613a0c73eb2b175ac7b60662282bec7c6fe89515296c70d50365b9dd6a9a101698e1d895f8e7479f27ea6d1f35f1d12bce2c79bda4c0a85f56dd9c925f9ba8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\9992

Filesize
13KB

MD5
5f34f214831a85cac4ff2bda1ee76240

SHA1
9370df8048c88aa9ec917bcf7b676abfe1df9207

SHA256
8ef31daa7e6e73a1bbe9a724a2e18a9692b57a63d898e9976da66483660d458a

SHA512
a8680e13e7c7e71cb3949cb2d03975cd9df0fc7e4ec645cd7530894e23a3a2c125ce12d8f3a10ee1f0e85ee7d49ce88dba499600bc185c6cd9f1f8fc4823df91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\0D4574A131907CF20E6177665DC1885CA838141E

Filesize
78KB

MD5
723052f8ee48c5857e3d93abb484047d

SHA1
2f0ed4fd8a1c11e0984392f88fd496823d4e129c

SHA256
9f3792897eafc212c8b924049d67af39a4de2cef4eb0a99e99c0bc8c1c882003

SHA512
82ba6d7e6628c7482976b9961dc234f47b812626ba4d2d83eb39ab926a992ece1e8810887a2b3b95f94ee75504b336acedfb5b5c504dcd68942df5c5646a5c60

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\10FFC1C55F7C272A387C01419A16DBA6EA289F20

Filesize
16KB

MD5
0c8785f1523d14ec90f7be6d5acd24c2

SHA1
82d15f25dd4c8068bc660f2f3657c5fc9b3e1875

SHA256
98ccdab072f1de0620f070b954cd8e7daf4be43901f7a548a0fd29289fca854b

SHA512
a1daf18312194a6a438a33a83f09d88950c3feff48f99faa04da9a13fc20c52d0c71ff99981da8504dec7ac56ed4273940a3c409df61e093632f3e152e067cd3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\175FC1F27DF5030D57F8D0FF3A5E0CD7039CB332

Filesize
35KB

MD5
a54f6261681f7c6363a190ebc686409c

SHA1
668e4c8f8f49f9d22e4f5497ed4278374c94b031

SHA256
fdf0160c5e85f3fb97d2e4cfb653b258c6dde9372738bf97c5f146454d90ead9

SHA512
2ab3a171835201274e1b6b916001e918a99d3f97ed4e48d32a2b0438f6af83bcefd8a5df63a0c2c3437f0f131d7e75dae23804eefc3022e18d011df1876d879a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\19A2215414917E304E70A440FA0D5B340EAEFA99

Filesize
31KB

MD5
aa6f48f57b80643e8e93f9b6c953e577

SHA1
88c94fa9f4c382002af31ec6861f82b4363e742d

SHA256
04ae46de3feb983a92afd5bdeb4e2d35fab7c65d01cc643fa79fccf239153685

SHA512
9c1f076dd4048c8925550d1782a01d8259cced17b2ed8ed0db4aec2c25a972ce36286b9ccd7e06696020d7486fb402d9d8ca1cbfb3d3fab077033907a92b2b0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\2200C896CF51DD92A2F41849ADD37B8E43A73F14

Filesize
19KB

MD5
bed98ae44881b3b8ff23906cd065d3db

SHA1
f7d8c4df5a324ef5d619852c5500c405546936e1

SHA256
3501ad3be02e8f3c1126092e4ea7cd4410f26631c78bdac6fae9101eee4e5c4c

SHA512
294904a8d5d6c5f3f375d95ac43a2df9c0591d81e70e296c36177ff2c91668e97dca09238d305eb84fa9c9aaa26a1d404e1be3c9b5f318d7f1dda4951e8fd9e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\28271FC433D5CC072B4F16E458182342DAE29F7A

Filesize
73KB

MD5
97e4b0d1fff8c4de147a71aeb7b47657

SHA1
e3efbe255013d874daf62c4add3fba2490707cba

SHA256
e9c84ee7cf038197a32ccffefe7bae17adb050308244b350183b4c4b17e879c5

SHA512
67f16d6746e667466bc7afce227c289ac3588af8126637acaef823975bae8cb00d2fa5efeca0d0606da71f50d8de3b471e3564cef827527deb2c841e303cc619

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\547D29804B6377D977C04DB3EC34CB2FD50B0091

Filesize
13KB

MD5
abcc754fee37d0faf503dbff541431e7

SHA1
17a618e6db33d4d6c16b84a986e87c4ea0b3b73b

SHA256
19b76b113ee8d6a9a3a1706fa091c6785fcf08e80cd32d1b235073b28205f8d1

SHA512
a48021078526894c7c2175c61daeb82b667677916e9c3d1e425bf3a4114a4ff999d7e875035adcfa494d7ed9579ccfa54972497f9efefdc2312965eb209cfc40

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\56A88D888080F97E3FEBD99D01F9432E73A7DDE2

Filesize
152KB

MD5
c21f3e9dce334410a8e99997e83b252e

SHA1
0a270c09f8ca0b03ce4e199e0a8af92076412abe

SHA256
f7fa15e64bedd4dd832bdabcb59a419818c52aea85f8f5f901c488933d3f2123

SHA512
e67bc5276c099d67efe880455e701442bd75ea91cf892a35fadf7a1e24273116a0b2ae2f1d495a85e2e1c322579b2b4e8efa77261ea1a4186c37caaafb8492c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\634E16DC7AF73196290DC0EEA7EC63EF6B95A520

Filesize
15KB

MD5
a124e21ae004083307b6a0e59f4a4514

SHA1
bac8dc1982ec357de326fab852b666d8907bad1f

SHA256
8bcbbf5c7aaae375977588c027d45acdcbd0eee3b83c3dc4d327dfe546be0ef5

SHA512
902e7c84b687b631866f754ea6bbbd2d5ff8bf396ab3745cc7519e02ee22ea9e2763583443e7d00ebfdc7948d048703b2c13e355f9ce768b5b3f41a7d1919e58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\6564D0A317EE7080104BEB3D8DAC7F050232453D

Filesize
161KB

MD5
4317c8b9f151cfe1fc97fc9fd3116f9c

SHA1
f6d41a5a1388e2036b6a7709f56aac7d56aa65a0

SHA256
c0188f12021d5c864fac5e09fdade47922f5d2e322636d25796564e01ddb34a5

SHA512
3426bddc2483a5505993d938447071adbc627f6524292b8f08a2a6a25c1523436408960ac3eefc8ce1048022bedc2922340d4475aeea3f61911ae66ee1c6f761

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\6FFAA5D56A9AADD065C5D63700463634490E5DFA

Filesize
363KB

MD5
56ba5cd6bad8087c18474539722a66da

SHA1
4379794a2c2280f40977c43be4a886b644c5ea7f

SHA256
e3b95fdbef4f0219a0150eb3e88e9b0dcf993362014bbdff148382736bde2e84

SHA512
8c848c31d600c0c49d60eb16f78fe95c26523073f3800932a1bb4736ae9936505e483ae86124b2a99e085e15e42be9967bd3be125959fe8da4439e307093d795

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\8D74FD8604405935CF9CE5F6887EEF743FDD90F1

Filesize
14KB

MD5
9db41a27b8421f4f3de230553882076a

SHA1
8bd099251173787b1f717a6c9143c7d55ac6bf71

SHA256
80d4bc780832e66ced188efbc28b18edcd7f070d8c99b18e5658c534ac99391a

SHA512
8326463df713e294427a440a9eb2c6dfd6f066a10d69d8a09dd8cf7e580fe19cda1a8584be714c6306876ad8c548f6b5e3cd4875ce58f88a49aba90af1319f64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\9C2BBC7137762B4CA02A130A09A82F71C29112CE

Filesize
68KB

MD5
d2fd73e1f3e30f80f694dfa02d16ea51

SHA1
c8ce47d62ea1de2a5b2a45972685ca6cfdabb195

SHA256
6a004cf41c80f5887d56c8852ca408fa29fc25bd3ab5276679aeb2325d8f704b

SHA512
6fce5be62174585d82b619f3c30e3f8fa158659cbcf5ff9310a97d41213a846d7ae22a60a20d2b7a426030fab79956589e58de1f9efe8e78133885e829dadfbb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\A92D534DCEE5CF26A604636A9A52912211D582F5

Filesize
15KB

MD5
3bb86fdc67b427b8f0d10b8a3c9a0f13

SHA1
569ea02a28d1e793f307984b9d3f5bf92080f030

SHA256
7cf15813f3e377d8c4ed8ad4ce2c84bcf1cbe843bcc5db9c2da663c3d9806aeb

SHA512
d44bcacb2617b0b021bdaec14c8254a4ed22ed736f71eec640a4353c87449aa0527b3ce579231587a5b4eee0147b9a7dd436c0e14477d002c71258dd3bbef237

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\AF11D781759D15C630AA9507C2DBEB128B4FA4D1

Filesize
13KB

MD5
81a1d1cfca4122abdc73ab5519067f5a

SHA1
ed7f2cba9e6c7f541a3e68acbd8618a89fecd9b3

SHA256
cf3de2df49d1d73152900bacfe05030400e5666a6bbd170056aea63553aceade

SHA512
014bd656b0d8c0cc72c8c9f83edffd78c5e710ed4135d4652103d84ff35cfd3fe9f69ba4b86bd03f8b0aa65b1d54f7021d67c492d639ee93138cb77e8ffed3af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\C3BE1FDF777B9F07B13F60376137938F30C97E36

Filesize
14KB

MD5
9ce36baa4b41304b6eab3f0e83aeda21

SHA1
175a36fa2499c2882304c5f50ec3d5f565a4926f

SHA256
623aa0e7abb9fef52587d2f01212343813754444e5678587863dbe317b53289d

SHA512
c1f27ab8b1885db067ff1fa7498aac541a3553ab1869c8ff469f14073c341a309037708c085c610daa5564d264d3ebdcec64efb588569d8c01cfd0e93af55e35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\C40A671DDC0E0D1E51773C34A7BCCB0020C7FC14

Filesize
16KB

MD5
d0fd839a53a231c9d85214143f2589f2

SHA1
f015c1cf76e5c06257c2b59a8c31f82cefd28ccb

SHA256
5d7a374281e0c01e0c667d20fb5a0034447648a01311bd5d4b774ee5c8f84887

SHA512
3023aab205a3ff665dff06d9f665a87194bf7cebc0cfb90b399d498277d75f64d7bcbf3438ecbc37f449d6a03586c586a8ed0b7f1b47510a7045ebc7b9e7d7bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\D94496847486C7B278818F3B9B3744E0331342C7

Filesize
16KB

MD5
4e546e417c610e659189c99aa1610b6c

SHA1
79d405d72e277215feecb545bc8c147ea1d438ac

SHA256
1036a9160aaf20a2676143a42605aa9a79959733ec09d654f8174575a225200f

SHA512
8101e9b17b6396c1bcfc8b94540ba8b8a41ad4d51e31fee302285f05a310982afe06c90dd3b22c337383024a2735f945c8ca522cd2ac5eebd1af48f1d4b6d817

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\F43DC4C9BDD2712148839EFA042561FABFABC8A6

Filesize
14KB

MD5
8d91d673865a8f6524fa9254702378f9

SHA1
2a506849d514ecb5290afc3fc79753c96a850d7e

SHA256
aba63416d6283bda30a91f81dd720caff1147c78324cdfc6459d5dabbed8ac47

SHA512
027a7f5a6a066429249ed39c27ec30abf9b1a4cee3f8c820557f7e014a299435d9d45b47b157b1189d9edce2e2503d0b7b3b08fe6a5145b2dc096cf8d5579697

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\F96A1A8368D3C3DD1FA81D170326E6C1C65D342F

Filesize
30KB

MD5
061ed6cba6635836d38e7cabaaf8a74a

SHA1
455ac6675cda4fbe3d36c3966e971c2f750db3ed

SHA256
05fbbc02b5028dd31c010e6341ed50e2f5e1523ae06f60c6b51e817d40e0a6be

SHA512
b3c1c99936857a45623ebdca5ebedcc3e05668e6f1d1089fdc7edc5520f4f518c9113099b90d4f7b072f3fca604d6bd2199fd904ec28654b99a65d4933158290

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\F9E32F5D7583CD0BBB518FB0C8FDC554F0E81102

Filesize
110KB

MD5
f64f71f6292dedc4b30fc28a32d7a0bf

SHA1
4eb08f0093ead1fa2c3895bbcbfe9b6320e629db

SHA256
5331dcd39a505804fddad9639f50864590619f6ee276df8a3db9bb3c844f734c

SHA512
82df5bf92c755eaa2e95077ed9b671b9e96ca4b1e7fd0fa3e08094467a9058b0e37fbf0cd0298e276e9c66c26b971b33bd643eaafddc22fa3ae6663227221fd5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\jumpListCache\Cs18aPbH79mzSjCWIA3iRw==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA611.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\302381712306837.bat

Filesize
400B

MD5
ab68d3aceaca7f8bb94cdeabdcf54419

SHA1
5a2523f89e9e6dde58082d4f9cf3da4ccc4aae26

SHA256
3161fdccd23f68410f6d8b260d6c6b65e9dfb59ef44aef39ebb9d21e24f7c832

SHA512
a5de5e903e492a6c9bcf9fbc90b5f88a031a14fca8ee210d98507560290d399f138b521d96e411385279f47e8de6a959234a094e084c2e7e6c92c0ea57778f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9FDC06FA7B3ECEAD.TMP

Filesize
16KB

MD5
5eea86a1dfefd94140025840a6cd0c4c

SHA1
76739d5bf5bb56cac0353e6f1cc08eed31b0b2b0

SHA256
e4ee04a30084a40b5f0931f122b4bc44d4246c7038561a45fee02028c8b429fc

SHA512
b9743be1753f27f41185cb914331727f4774c0122ff9dad30d5bc302bfca6ac6eda79683d1fac56dd9ba5ed22bc47748b3f9b5e282903580d6101925a0055e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
17bb04e9c065834ddc942179dc65e1e2

SHA1
0a53e149dd184eb6c49148a832a867a477706c34

SHA256
d45cfcb6f221616c2162fa6e148b5bad8b5c455dd35fcd7abdc2bd938ec9e31c

SHA512
7dbd8de17d2caba2a64fbbd7b5f729a59bd89d5680b01e2f6d1abbc99b6d6776e8a040d90fe65a41146c0f17b6dc9daba3e0f6f3fab7fd542f190cb04066d780

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
13fb2d9ab92b4046cd913aa62e344e1d

SHA1
4e7a2a1ace9c0c27386f28686b6052a454209284

SHA256
c6578d50dfc6efb3f8b8f186caf1b525babc3a1783fc18649f678e73c0dc928c

SHA512
f9f968de5c53ed1a3719cf73424ebc501681b4cb445c3bb16b9201cc3e59531253f3393412228645fbceef319db4b8bce0021a0a6f4ba0e74c33981b5bd5f003

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\pending_pings\51aac488-1ace-42d1-963c-d8e99a48faa2

Filesize
11KB

MD5
9974feddf5c96293907deb4bf6ae4e2c

SHA1
09f4fc683844036c73fbb3b51307dffc0b26336d

SHA256
e871f1770d0be825907613950cfdc3f99bd80418b9da06d4ced5cf46cf88bb57

SHA512
2b6af229af59d594b1f9a7ea46976b4be37e7cc559c9938974b6e0883f4325965c5877da2b7df2d5aeda8f17b2f451f4ce3dee4609a08f30fac66a67e8f5da8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\pending_pings\b307f85d-e3de-4f7c-834d-470aaada06f8

Filesize
668B

MD5
37ad477e5f967c84947b40ea53dc3d79

SHA1
e1fb16440cb66a07c47f692ce4e06a819c3519f5

SHA256
0a222125c34db81765fd51cc0d406643fa851a2a9c6bbb697b8d34be6f316157

SHA512
df568bce3b2df49b6d9a2d3cbebed1bdbd5fac000adaa9a303b0d6543f1126b93fd7557902a679beb5eeec0c7c61ea6d3fbbcd8a693a748e4ec104d667742e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\extensions.json.tmp

Filesize
41KB

MD5
90b56df520ee106e80f6a694606c2a37

SHA1
d29f818533e60884f515088f977ed6ace18b01cb

SHA256
7c7f9b3d4d0de9fe74fffa43c39b899bb53668c4fc97eba3cdb39e19a6186513

SHA512
1119312feaf1872a3cc491523ca1ecdfee415d2c4ad86a1028322db4b614b27cb927450293821fc4a2d906e370005b5d6485bb48b0c6e6f6d825aa06ad184085

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs-1.js

Filesize
6KB

MD5
113ddd87e885132462e15b3306670647

SHA1
ffcb4528956c8d3f3e4529044d9254e466c5785d

SHA256
8758fe9cc7ba8d88cbf1a74806586ec69e84e99f8c1737de617fb54a933a2f0a

SHA512
d04af50033f1e5320c01abe0af970e81cb625f8cec6b9d39102865a9ec132fd9f7fcf59636daa52d399c6c653f6328998f219fb618c4292d43cefc1169818a99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs-1.js

Filesize
6KB

MD5
b86185b1c87fa4928a0634f5e0aa1231

SHA1
689060ed1d8304999c80d03ebdac721370b3aa7b

SHA256
a08f26ca890c3ae2f659795e3e32d88231d961324317b116687c9014dd29b6aa

SHA512
378b122d0b34d3c7f45305c79fb2549721fd88eff413b4d6eef574962a33a992ec1a486f07c552ff7c6f0c37bd01bc3fecc3a2c948d4f4b3fcf47b29d4f1dbc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs-1.js

Filesize
6KB

MD5
74b35ff19da3055b23deb02b67e7391d

SHA1
6cae160e608410f70b1f652e16d05392595d41b4

SHA256
08443a8137d88b8118c573c614567d101bce73da3403f6629d5032e06c24bdbd

SHA512
c328a70f72d221317790aaf78566b17adb5957980355dbb7d35a5a5e6648fdfdbeae7c3880ff34b63d3e568c6d62466c7079e31019af369caef669ee25a1892c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs.js

Filesize
5KB

MD5
ee8ff2c55edb08f9de656e351b5faef5

SHA1
97422fab8db63394b30c2a72409d9eb89ca800d5

SHA256
62d4b577ab6f55484565d6dfa9bc47cfdd5f8fb1a16a2f778675ddef6f8ec69c

SHA512
68c816711275dc43685d3e7269cbe5f92d72ebf68cf852ad8cf14c53f9dd5a2282f86932e818d57bdede978f03b1f5c18f0c57471bf31229f28adf5b812f4616

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c53e1a424e609bd23c5d7941babe45e7

SHA1
1ba82111c01a405b95834c8bbe47b3139fb6ceae

SHA256
91ba868d5cedfce9dd65145ea2ac457e53de3ee943723d05aad9f5736395f7aa

SHA512
4865df77dd858fd319135642b3e8a787c739443adfda38b5de2a4b486ec2e21149d6602af14b5fe59e721b05788a91365c4aa8e2297a4bc2bfafc5b74f3125a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a97bb20ff208a481ac6055966d6bd6ee

SHA1
d7779bfe76093fc7102057bf72653b12d97300ec

SHA256
9b427636cad9ef51f49b652c23fde97eb5912b781f228e4c94a29c9021afa6ca

SHA512
be180b8d91d5c8af546b8125b4d754ccc4a0cd3c5762ac2e5b9f238e6f4459dcef6778ac7e13e5b86ffe874171e603d61cf55fef2d435a8fbd732e51fc10fbe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
4183764f48e62ef598675fd1b3b94ea1

SHA1
dc9144e7b8d6d2cdb6bcc5d53f6f293c1568d560

SHA256
fc8d92dfc94c92e41f6e92cded975fa47e1f50487f1e728a71aec4cbf9782e1f

SHA512
648f7c0d48165139d17375c51229095670177a8f5986ed3831511793352ff5b4f3204c78bf22e04ff553e9e4106c0a4627af3c45ab48a7a62ed3f4e9ff6d20a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
04fe328ff05467150864f45f504b4b6c

SHA1
46c7c0c70b0fddd97536fa818d52a94671e9c9e0

SHA256
cf459f3fc07add04781e5a4d3a7d25e377d6c5712971cd5327347a2804e41f59

SHA512
c04448c4a95d7c64dfb9141168a2d30589bf7034a79ac2048e410860eea6d5abbabbc4ec447d2dd6d25e529ab0648455cf4a1d689a28dd86a413bdab347f549d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
f9aca4e93c482982e9746552a9da482a

SHA1
45d3c2d36de28ff0145b72817ee0c35073884f4c

SHA256
ba6163b781218fe9209e023488884e7b35c76cc62a841da8a15a2d695b1c3373

SHA512
6575a6f1e398e094cd064fcc3c9127d500cd7cddf1194791b8e0932ecb714405f40cc1002dfc524a154e3784ec274438ca43983a4855217d7678211b20d185fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
da4cdf2b62d832a63d585c31481f46a9

SHA1
a5cede8c4e05af2f5a278a1e1bd9d7025efd9c30

SHA256
3e0cccfdb9d1f11a933f884e35fd5da95886cac08bb7083e79b2128726f41055

SHA512
fc41a8a5c12fed5a4b01d908b4ca3865384be12c77f59cdb83a7179e5315063d47d550558168f004c3ccee60c7dc35d3b82a9c4bcb3bdd4a5bfe8a4b0e3e86e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b7b7237c26a529b8c9b4eff621c4d173

SHA1
8b23042b7c588aeaa9644a7ab4884b37d43d150d

SHA256
e07f20acd9c082d6716dd7952897e4228e3783cb3626b3845975a4758b55a6ff

SHA512
3faa6f8954cf93a7889b1099b7bbdde385509ed59bbd8d8bbbc6bfe4da6a80c3eafa95e7175cf9dc64ff3a727b30c080396b718b15cbb07e5d9325e6e16bc851

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
d1cd4aaab98db51194ea73863e44415f

SHA1
9ab224ef73f9e71361f0d3608ce282c6778a984a

SHA256
2b3b419be0478a615a779d62c0b880958f0177fd24a3363f067a6fe65a389282

SHA512
6c7b7c7eaaa7c39363e98c35ee219b64bc451d6a6d16f2e37eb516a0163039c39fefa004180cad06cd1ea65c32afab579aa1cd65a5c4b7a45141f09806756a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
4d26266c59343983f95758eceeeef364

SHA1
b9ff77a510bb1063f4cc12a76d3beddb3649e670

SHA256
521a33ba5c9be2e112722e4d4d82b8fe85fd9a23c2dad81030b9af2e489d3f84

SHA512
15e197cab6186c0669b9c9477c567f0a6a96037bf1e681f12de45fcb896fd915770299cee8bb726ca62fa523bef6a61bfd9773bf36962623c9d3669131882c09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
566d792d59102b02dde58d9324ca8106

SHA1
c827c18715409b564bf87995d0688359587f763e

SHA256
957069bf347369a2b6c19a88bbce3c2ce5e32fb9d6ca1672c8631ff7b65f64c3

SHA512
9bb1a29f217f3ed42fc1aa1e58d2553c5298c13ffb7ced7d43f32f8f697bb3e19dfe16c69c506d3fc6b8e2c5c19f1bd94bc28f1b5374f4b1e575f320c1936588

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
d9be0ae0dcf0f87cfed09ce5e44a3f94

SHA1
c2a8a938f487d03aed9d1305c0439bba981326bd

SHA256
084858405a618d2c1c7fbf98d8983370e6b73015a23ce4dbd3558c992a8a9413

SHA512
336fb40bbe007c23fd4d1470494d5f746896848c8aae2598102f48b5b4f4010c4a8204ff68292dbecc6b97e59477477f888e72df24fa33e385c673b3746bf2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
160KB

MD5
d6f1aeca83b7396f74c8a7f5c6d08664

SHA1
f8824e7574cac15834e421cb81c4e11e6addfbae

SHA256
9b30538a443a4a677d84a10ddc93df3f34cde9bbc666f4758baf322a844e2861

SHA512
491e67215e7959b048cf79ceb8a9bcf315b087babcbc2b783a661e37f7a409ad802f6ef5e9e2eaf43bbd747a772fb429f2332d861f5defbcd4822087f5a34fac

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
15.0MB

MD5
c20cfc5addc6b0c1c02f39908d20bae1

SHA1
26c444a98786821237ea3c7fcda00ac49e14a7a7

SHA256
1465c4221923cbcd53739145e9ae0081c6fc038a6715b92cbdaea1094c65f20a

SHA512
3ca30a719555004e0aee5cea9bd18a9b59c735586d8eb7f85aa9e2e728dd87cb9675425701e88e66cbf3606c9fac5a9668e5be3608e710e9cac5f88fccd34c5d

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1332-2864-0x0000000070FD0000-0x0000000071052000-memory.dmp

Filesize
520KB

Download
memory/1332-2867-0x0000000000A30000-0x0000000000D2E000-memory.dmp

Filesize
3.0MB

Download
memory/1332-2852-0x0000000000A30000-0x0000000000D2E000-memory.dmp

Filesize
3.0MB

Download
memory/1332-2845-0x0000000071320000-0x00000000713A2000-memory.dmp

Filesize
520KB

Download
memory/1332-2844-0x0000000071320000-0x00000000713A2000-memory.dmp

Filesize
520KB

Download
memory/1332-2862-0x0000000071060000-0x000000007127C000-memory.dmp

Filesize
2.1MB

Download
memory/1332-2863-0x0000000071320000-0x00000000713A2000-memory.dmp

Filesize
520KB

Download
memory/1332-2847-0x0000000070FD0000-0x0000000071052000-memory.dmp

Filesize
520KB

Download
memory/1332-2866-0x0000000070FA0000-0x0000000070FC2000-memory.dmp

Filesize
136KB

Download
memory/1332-2846-0x0000000071060000-0x000000007127C000-memory.dmp

Filesize
2.1MB

Download
memory/1332-2851-0x0000000000A30000-0x0000000000D2E000-memory.dmp

Filesize
3.0MB

Download
memory/1332-2888-0x0000000071060000-0x000000007127C000-memory.dmp

Filesize
2.1MB

Download
memory/1332-2887-0x0000000071280000-0x00000000712F7000-memory.dmp

Filesize
476KB

Download
memory/1332-2886-0x0000000071300000-0x000000007131C000-memory.dmp

Filesize
112KB

Download
memory/1332-2884-0x0000000000A30000-0x0000000000D2E000-memory.dmp

Filesize
3.0MB

Download
memory/1332-2850-0x0000000070FA0000-0x0000000070FC2000-memory.dmp

Filesize
136KB

Download
memory/1332-2848-0x0000000071060000-0x000000007127C000-memory.dmp

Filesize
2.1MB

Download
memory/1332-2956-0x0000000000A30000-0x0000000000D2E000-memory.dmp

Filesize
3.0MB

Download
memory/2040-1881-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download