jigsaw | hxxps://github[.]com/ytisf/theZoo

Resubmissions

23-04-2024 22:06

240423-1z3agacd59 6

23-04-2024 19:46

23-04-2024 19:42

23-04-2024 19:38

23-04-2024 17:41

23-04-2024 17:35

23-04-2024 17:34

Analysis

max time kernel
512s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo

Score

10^/10

jigsaw wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (3492) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

jigsaw.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation jigsaw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	jigsaw.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBEC9.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBED0.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 14 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskdl.exejigsaw.exedrpbx.exe@[email protected]@[email protected]taskhsvc.exejigsaw.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
4872	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4388	taskdl.exe
2600	jigsaw.exe
4704	drpbx.exe
4304	@[email protected]
2556	@[email protected]
1924	taskhsvc.exe
2668	jigsaw.exe
1908	taskdl.exe
4360	taskse.exe
3416	@[email protected]
2020	taskdl.exe
3968	taskse.exe
2708	@[email protected]

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

1924 taskhsvc.exe
1924 taskhsvc.exe
1924 taskhsvc.exe
1924 taskhsvc.exe
1924 taskhsvc.exe
1924 taskhsvc.exe
1924 taskhsvc.exe
1924 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2412 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe

pid	process
2412	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jigsaw.exejigsaw.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfyblcpy406 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
26	camo.githubusercontent.com
27	camo.githubusercontent.com
28	camo.githubusercontent.com
30	raw.githubusercontent.com
350	raw.githubusercontent.com
23	camo.githubusercontent.com
25	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

drpbx.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small2x.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\BuildInfo.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.235.663.0_x64__zpdnekdrzrea0\Assets\Square44x44Logo.targetsize-256_altform-unplated_contrast-white.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected]	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\Logo.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\logo.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-lightunplated.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-100.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583751890379916"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings chrome.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4856 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	chrome.exe

pid	process
4856	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exechrome.exetaskhsvc.exe

pid	process
3088	chrome.exe
3088	chrome.exe
3024	chrome.exe
3024	chrome.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe
1924	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3088 chrome.exe
3088 chrome.exe
3088 chrome.exe
3088 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
4304	@[email protected]
4304	@[email protected]
2556	@[email protected]
2556	@[email protected]
3416	@[email protected]
3416	@[email protected]
2708	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3088 wrote to memory of 644	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 644	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1992	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 3268	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 3268	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe
PID 3088 wrote to memory of 1016	3088	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2576 attrib.exe
2008 attrib.exe

pid	process
2576	attrib.exe
2008	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ytisf/theZoo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff098dab58,0x7fff098dab68,0x7fff098dab78
2⤵
PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:2
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:1
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:1
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4928 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:1
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1148 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:1
2⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1904,i,11960386780204754276,1018695593113411076,131072 /prefetch:8
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\" -spe -an -ai#7zMap16072:110:7zEvent3225
1⤵
PID:984

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\" -spe -an -ai#7zMap28104:110:7zEvent4613
1⤵
PID:3728

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -spe -an -ai#7zMap25155:194:7zEvent28335
1⤵
PID:1372

C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4872

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2576

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2412

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 191751713902009.bat
2⤵
PID:1380

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:3280

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2008

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:4652

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:3316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:2576

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:4360

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rfyblcpy406" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
2⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rfyblcpy406" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4856

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
"C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2600

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3784

C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
"C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun
Filesize
720B

MD5
75a585c1b60bd6c75d496d3b042738d5

SHA1
02c310d7bf79b32a43acd367d031b6a88c7e95ed

SHA256
5ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834

SHA512
663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun
Filesize
7KB

MD5
72269cd78515bde3812a44fa4c1c028c

SHA1
87cada599a01acf0a43692f07a58f62f5d90d22c

SHA256
7c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7

SHA512
3834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun
Filesize
7KB

MD5
eda4add7a17cc3d53920dd85d5987a5f

SHA1
863dcc28a16e16f66f607790807299b4578e6319

SHA256
97f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2

SHA512
d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun
Filesize
15KB

MD5
7dbb12df8a1a7faae12a7df93b48a7aa

SHA1
07800ce598bee0825598ad6f5513e2ba60d56645

SHA256
aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77

SHA512
96e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun
Filesize
8KB

MD5
82a2e835674d50f1a9388aaf1b935002

SHA1
e09d0577da42a15ec1b71a887ff3e48cfbfeff1a

SHA256
904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb

SHA512
b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun
Filesize
17KB

MD5
150c9a9ed69b12d54ada958fcdbb1d8a

SHA1
804c540a51a8d14c6019d3886ece68f32f1631d5

SHA256
2dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43

SHA512
70193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun
Filesize
448B

MD5
880833ad1399589728c877f0ebf9dce0

SHA1
0a98c8a78b48c4b1b4165a2c6b612084d9d26dce

SHA256
7a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27

SHA512
0ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun
Filesize
624B

MD5
409a8070b50ad164eda5691adf5a2345

SHA1
e84e10471f3775d5d706a3b7e361100c9fbfaf74

SHA256
a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796

SHA512
767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun
Filesize
400B

MD5
2884524604c89632ebbf595e1d905df9

SHA1
b6053c85110b0364766e18daab579ac048b36545

SHA256
ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f

SHA512
0b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun
Filesize
560B

MD5
e092d14d26938d98728ce4698ee49bc3

SHA1
9f8ee037664b4871ec02ed6bba11a5317b9e784a

SHA256
5e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb

SHA512
b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun
Filesize
400B

MD5
0c680b0b1e428ebc7bff87da2553d512

SHA1
f801dedfc3796d7ec52ee8ba85f26f24bbd2627c

SHA256
9433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750

SHA512
2d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun
Filesize
560B

MD5
be26a499465cfbb09a281f34012eada0

SHA1
b8544b9f569724a863e85209f81cd952acdea561

SHA256
9095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5

SHA512
28196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun
Filesize
400B

MD5
2de4e157bf747db92c978efce8754951

SHA1
c8d31effbb9621aefac55cf3d4ecf8db5e77f53d

SHA256
341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9

SHA512
3042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun
Filesize
560B

MD5
ad091690b979144c795c59933373ea3f

SHA1
5d9e481bc96e6f53b6ff148b0da8417f63962ada

SHA256
7805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1

SHA512
23b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun
Filesize
688B

MD5
65368c6dd915332ad36d061e55d02d6f

SHA1
fb4bc0862b192ad322fcb8215a33bd06c4077c6b

SHA256
6f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f

SHA512
8bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun
Filesize
1KB

MD5
0d35b2591dc256d3575b38c748338021

SHA1
313f42a267f483e16e9dd223202c6679f243f02d

SHA256
1ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa

SHA512
f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun
Filesize
192B

MD5
b8454390c3402747f7c5e46c69bea782

SHA1
e922c30891ff05939441d839bfe8e71ad9805ec0

SHA256
76f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d

SHA512
22b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun
Filesize
704B

MD5
6e333be79ea4454e2ae4a0649edc420d

SHA1
95a545127e10daea20fd38b29dcc66029bd3b8bc

SHA256
112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36

SHA512
bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun
Filesize
8KB

MD5
3ae8789eb89621255cfd5708f5658dea

SHA1
6c3b530412474f62b91fd4393b636012c29217df

SHA256
7c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a

SHA512
f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun
Filesize
19KB

MD5
b7c62677ce78fbd3fb9c047665223fea

SHA1
3218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8

SHA256
aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2

SHA512
9e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun
Filesize
832B

MD5
117d6f863b5406cd4f2ac4ceaa4ba2c6

SHA1
5cac25f217399ea050182d28b08301fd819f2b2e

SHA256
73acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362

SHA512
e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun
Filesize
1KB

MD5
433755fcc2552446eb1345dd28c924eb

SHA1
23863f5257bdc268015f31ab22434728e5982019

SHA256
d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b

SHA512
de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun
Filesize
1KB

MD5
781ed8cdd7186821383d43d770d2e357

SHA1
99638b49b4cfec881688b025467df9f6f15371e8

SHA256
a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4

SHA512
87cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun
Filesize
2KB

MD5
51da980061401d9a49494b58225b2753

SHA1
3445ffbf33f012ff638c1435f0834db9858f16d3

SHA256
3fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44

SHA512
ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun
Filesize
2KB

MD5
2863e8df6fbbe35b81b590817dd42a04

SHA1
562824deb05e2bfe1b57cd0abd3fc7fbec141b7c

SHA256
7f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad

SHA512
7b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun
Filesize
4KB

MD5
79f6f006c95a4eb4141d6cedc7b2ebeb

SHA1
012ca3de08fb304f022f4ea9565ae465f53ab9e8

SHA256
e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e

SHA512
c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun
Filesize
304B

MD5
b88e3983f77632fa21f1d11ac7e27a64

SHA1
03a2b008cc3fe914910b0250ed4d49bd6b021393

SHA256
8469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5

SHA512
5bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun
Filesize
400B

MD5
f77086a1d20bca6ba75b8f2fef2f0247

SHA1
db7c58faaecd10e4b3473b74c1277603a75d6624

SHA256
cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d

SHA512
a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun
Filesize
1008B

MD5
e03c9cd255f1d8d6c03b52fee7273894

SHA1
d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e

SHA256
22a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6

SHA512
d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun
Filesize
1KB

MD5
62b1443d82968878c773a1414de23c82

SHA1
192bbf788c31bc7e6fe840c0ea113992a8d8621c

SHA256
4e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24

SHA512
75c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun
Filesize
2KB

MD5
bca915870ae4ad0d86fcaba08a10f1fa

SHA1
7531259f5edae780e684a25635292bf4b2bb1aac

SHA256
d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037

SHA512
03f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun
Filesize
848B

MD5
14145467d1e7bd96f1ffe21e0ae79199

SHA1
5db5fbd88779a088fd1c4319ff26beb284ad0ff3

SHA256
7a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38

SHA512
762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun
Filesize
32KB

MD5
829165ca0fd145de3c2c8051b321734f

SHA1
f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e

SHA256
a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356

SHA512
7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun
Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
Filesize
21KB

MD5
ebc633a368f3fac0b50f7a240f5c9b9e

SHA1
8e6931ee9534a5df409e6781500de861d1901051

SHA256
8213ca3eccc92b35c7cebec3680fb15cc6e77a1929dd50fd4de0f94da1ccdc18

SHA512
96df3569e12d2c0ed7e8292d0f65e87503fa0adef302d944fe5c60afc8877938bce64e81506f4c716c0a5df0f490e43f115811a721d59d6258738f45c3151fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011
Filesize
151KB

MD5
7739350f11f36ec3a07b82584b42ab38

SHA1
d97e0e76a362e5fce9c47b7b01dab53db50963d8

SHA256
d84e9971e8c344b9ff5a5968e7252270757f211f0d408e26c12693729068ed75

SHA512
2cb436985e382ec17390a1f8a7c112bdf18206c66d845934a14f9c84781200828e05c57cef5d4128a9d9b96778042ecb7ba2c031563c78ee9b8ec41accf8a537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012
Filesize
21KB

MD5
e9a5315fe482aa6a84b4cd461a41a5cc

SHA1
06833b57adceda1c91eaa2072d368c54fe4995b0

SHA256
6a00fd28670b7ddc6725260bf6cf4c345762edcc5e74e4eb77367b4969efa9c9

SHA512
86dcee3ad5c69dfb9bf6f0e8246b1bf2f95a27188c17e1cab7b9270774c37b8d0e6b2acfd33f144ba74d17c849299a9c750dab9c8f1bff09147befb7876421c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015
Filesize
76KB

MD5
f1e7c758e7ecb65461b66eca1b45361e

SHA1
243051c4e50d4b224c12e4e5e77e44178774678e

SHA256
f543060458840e9a98de28a48c05d391a5fe37f1e55e856740527b65b27a9fc0

SHA512
29f0993ca7c60d00a3a19c59ae203c049bcd44aa90e72a68229ebd3f8459566c2149d8108120fa8728caa5709670ae675f1147e44a0e8f644505449004ea88bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
a0989d32da750461c7869faa2504a684

SHA1
ed184566aabc2f857227b940e55f4852bce08620

SHA256
0fb1e9b696bf40e1510b9d524edd9e6a73b6dec732cdf937b76501022dc8e4c3

SHA512
016d38522727c98191618b8ee6227d8f0580647050aea488c0bcfadf1c4428d3abab3a2e59b46e522bf5a4697e1e47221d099e1c2eb836336e7fe566fca76692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
6192ff8af896c7054957c47a5ce628f6

SHA1
99d863f1c7ceac6756c678814c6540a10baac541

SHA256
5f167221dc1a48f78459c4098e51f0da5c83c9cd5f30232f8c0abe75314a0b9d

SHA512
1edfadb736914b443a35c2442ba8e076cef83585efc3aa717c092b67698787eccc379c2060a8fffbc1e78f1c1ec10c982a0998fddef29f3454d2d5beab681a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
f4450b288671f2f4954d9ca8d30843ec

SHA1
52a56a641f4f8963923c8deaafb7e64c15d1f519

SHA256
84d1bda055ce49bae3fd0e198057423c178c233a37fbbbf0a46562960e647589

SHA512
4d7a4117ba6a7e46bff3bcbfe0b85d6cacae7521b05b5c748536cde65bdec39a3fdd97a40b9439bccff75dd31f0fc6a34ed06023fd7bf48e7647208e85f2c5a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
632d50fa1bab2fe28b33ae7a716592f2

SHA1
4881e61ff82fa05e0a5fd4a8018ae07103166f10

SHA256
3a499aaa856cb84d6d302e720de643ce51a2a6276c6be7a66cef8a8501814982

SHA512
015b6c911ae868c14881d974fa1814371c33368ffc5072e7c118730352c275c9575b7128bde573ffb314d77e732ea2a8b6a5eac0543d159ff9ccf4d298613430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
beb25b7eddd6e5c44b49abfb5bde07a5

SHA1
cd404698a353a049cd05e7f15005c59e8ede150d

SHA256
27b16ea01164735f1540ee693dc7cd494b5705bddba3fbbc1ff8384503747464

SHA512
620f744b85b9ac240f122be0eff45df52520986973d72a71d754b00ad203ded1eed408184f0934f0e7101d442ca74bda02a1f9c592d56f540ad7944184b23ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7e3ef7be-1a26-4405-8f47-6ca3482466da.tmp
Filesize
1KB

MD5
99b08b7ca89d6c15b733264e65dce60e

SHA1
33e860e419336a6bb233c2ee0b1d8713665d50e9

SHA256
a4bf71f6d2eebf1f5f802f2e9e7e34809ab73ed286b842602d38620b6613bfe0

SHA512
278ed3f1f6160dca942895352d21398875b49e1849fe2bd271e1c2becaef04109c7df48b1a4e746e3d18bd081c3dae8dcc6aaba2a974877d2195a21d7e022049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8e184a4a-355b-4fac-8280-32142f7d9f35.tmp
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f6c9587bddec1ed8855b8815f329d8b8

SHA1
d3e71f26cbfb60c0b16c089b9b5e93b1c3f835f9

SHA256
94975d235c8f7b920f6891cafb3920ecb7bb947871a799775abc5a3d3266dafc

SHA512
b81960c3b2c13efb2465165c05c7eabcf1d6f9f97e6c79e7a1bc9aec69604a628c03d330a55cdfd583e3fc2a174ecaae6d63c22d6790abdaf72574c99972f7cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
940f8c3a2016550f94bac02005a79bf9

SHA1
3cccf973523f6fd61ee3d36e053bd016fbdce8bd

SHA256
498a3a36dbff73d82ffaa55cc27232773a279e92f8b8884d204bd807a000ba73

SHA512
4b49d7edb9091a2c43cfd52d3eb510ce16772802499a239f3cb14153509e11c294d87163573d251ae13190470ca5454f12859c295c9856167c4bb3e7da3949c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b434e4e643b26fd6db17334f0be54d38

SHA1
62c233b68e945648e6b30565aa9f78db7a41b076

SHA256
9044446f11521a9caba275bcdf682f2b6df5ae505e3665cf26d581a5f9471aec

SHA512
f2ad37dca14c3615738fbaefea2a5662f45b50715cadf7536b9440c5a44eb249050f2c6eb23c67c27bb912dbbb8d9afb4b514e16ac0dc177cc7764a90801a346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
bf97a52ed391410549e3b0334a7d472d

SHA1
a6a995012663262de426b59de268025cdb0d4d18

SHA256
546f1bcc59b83555105bc63b3c3f7c7e9cdb9f746b2f0423cc3eb90c784beddb

SHA512
8d767210daf04b1cdb358d75827535ac1c09b160c47b80cc8e5c67acc949288fd146c6ed1eebad538f94a049928744ee705a830a9c09c20e2c54f98a03b12e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3af9f2196d616f8490eaa416723f2076

SHA1
7afd1cde00d8b8b31a53edca91bdc3309adf0369

SHA256
4f597c4989d6f7139049d85dc790b59aa400c45cfa2e9e4577fd8a27394096c9

SHA512
2927ae044abba0de8c1f049cec28437c8b132bed7ccf68be2381b5380f9e966347035629b5a0bee3ed982f71aedc8073dc3264c247d2a954816c9d4af0ef1cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
688a7284d4c5c3424a711e8d4729d3c4

SHA1
3c6f9c62d99cbe219f978d37788679c214439278

SHA256
2af498f733806573449dd46d13bf21fbb2848fddac11d880349f0f81cc789488

SHA512
e9459c5a026e61627738a2c036d0255a3e999b22a7bf0b96156bae6c2a09cfd741ef03fdecbd9e0a60c71c8b5cb346d18989c892da86493aa99b03f443f5d57c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d0918d6b78fc613667ed0b5f9715f90c

SHA1
e24cccd90d3a9b6d4a44d64f51b752b492e717b9

SHA256
3e1e23ffe4e25d3c523714d9a87d3206eaf959e28ed6c3fb41ed6cf2f3416bf8

SHA512
6c741c821ba506f68e369cdb63e035b81738b9c262440d452b51710ee98f8791c0d36f099a8e26fcbe34b95862f79a98da4342b6e13ac1f2ea8bbd76e79799f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e2e363395f6135c7b517c0c1605c438e

SHA1
80ee350a5982efdb4f9abc8772180960ea1e5b4b

SHA256
4e061650af8fdb90cabef5df73039c46745000130fba0fc05086774221f0f5be

SHA512
84f1d7b6b28597a8c45ab84348a6bf24fec7923a5ff5bf1f36b0ea116780114759e97ad2e311f4a0550a73316eb56f821b31b571ea408400f292c81afede255b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8709d393295ff22de492cfa242858a29

SHA1
75415235c67ac5ddd5e470ef0b6532f2b2a939d2

SHA256
199558f1af9791b2d5042cb6b596c942d1e7c61ed114cc8604e259d7d4672c96

SHA512
b3e23ad14af2e6a2d948f3c9c5dae76808b3d093846bd8335b700ae9722e4affa316b0797d7bfbbb17dbaac635c7a9d6fba849700f119d1ab7c02aa27e99e088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f111f631e389d2f4cd35945d6a733c5f

SHA1
391645d592cdef723c029d952ce8afc3735db448

SHA256
6561e075a2c6cd44d7f835264644affc22cb8cd6bd020f1d759c88823dd2679e

SHA512
49307947382454a37fc77b4924de2925371182b761c5c62cb665b2a57a9f7d7397019ad06430ba849c0b767f36682b72ad0effef08830750fb07cd3d81ddcb08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
982cb8612f00b83874992a235c60377f

SHA1
7ea109be117a940f7cbe9bf739bf68afdecd8014

SHA256
854c5e06f2603307c285a970054bed51d35aea405f944054507fa67637860061

SHA512
f93f70019a7ff017cd1714cb3fdb24dd876db1e722f4c60b9e7389a8d31f47d705bfa08de1796c866f5b2f98251c2f3f4b2279b0d06a60007d7809bf3c1535e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
34016d789e9dccd9361a4e3485523a54

SHA1
4f7e7e24176a254cf77b6e5669fe20223456feac

SHA256
9368536cd73cb68a833fa655013cd5e5f5a81df146ddac9e9e1efdd4b8093c80

SHA512
02140d0bcbed87643fb222b4e922cfa7d1ef2d1b378901c4feebed11002cd1e31831cb8258d510f23fcad1db2530c601656a178712200b7cf77aa3ddb61edeea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f858b991bc8a2e29b3bc16b20e660947

SHA1
0039a8549685a729171eae678258b2b224db00b5

SHA256
26a14026f8b86eedefe0bf6354f4abf5d1fa1169ed03ec99cfde41191b0b6a2d

SHA512
912bab278ba8e2cb19892869d32e380845a73cb79c5841fcce08e2273dd56f16f7fa7772fe85b43c35b28f66d3b0aea5a8a405d6903fac117a598fa9edb8a144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d1945cbf5eb18e92ca2b70dd717f384e

SHA1
8e60d3a03521416804c862fbfd132a4e4d51aa30

SHA256
da9f4a1f166c22f0292e46449c04d3e482477068353f7fafd3469d113b64a79c

SHA512
19719f24fb2b2417c7961c438c2c272ae474400a61df474689c2e01c13c14355391c19a8e32d7023838b191d36ea1ec6b726aaa2b96c94ecda944f56040d1bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
884a0672e425f2a8bafcf5beaddfcc0a

SHA1
d515179fc25bf18240005d4f7c3bb69284223375

SHA256
026845246a68ed637549bac4a9e5d0374e471c74f2cf4caba9c9ba49160deea3

SHA512
b6c23e2a4f0c3db6587baa4726693a28edd420cc114b1c39fd44a0d258f716d245fe928b03bb7b4c8a80afb79ba611fa75712625bf2f2a230ad8319441bdb65e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b7eaf61a5226c58bb4df1ed8868a6cb2

SHA1
be5e70c997aafee0ad5eb8bee65c733699de7a1c

SHA256
e8be0a4018614fc4794fedf04819ea649a0ae9ab6dc6910efe892186ce08515e

SHA512
fc1005b0e1cf667d06ee59aa6e0749d352bf079c3a264fed010d3cd0e99e466b8548799b60ee0d53e42a7674647393076de91412cf02c628acc2b2d554964170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
100955151ef3820f96343244e15dcea1

SHA1
41f7be9741c09694b12376e88eef0c1aed8ec678

SHA256
da2ca47a9be524c92467f2a5910b333dca233ff9303845acbaf7f235f132ebb3

SHA512
57e0db7fa5e20d36b2334ec071907b5c7d344e90f025a3d8b738bee3c612bb6f9d97de133b1f29657a8131e080458c3cdd15056e8a371dd2d870de4f7aab9c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d54940bb709a0e3108268637cbe2dc62

SHA1
7fe44b0a7e6a96b2277bade59eaeccb6a01b4b1d

SHA256
150436be4ee771df63e95d580d872bed8bf61e4a69256ef5f139f2596f3b75a5

SHA512
3bdc2e2d1995e439e29f90c3fb182e3bb6089a709c8715b3cd4c69af644b0db2b4fe81f3ffa70a5ee1925f19235df337924dac594da78c493c2b933694dfc7c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6948fd3c02c4f6008379db0a80d3aeda

SHA1
5e87fff24ccf5859e4525cde23908ca610c92da0

SHA256
abf3dfb5ba22f1dc8af3de244f0d2288b77eb51b01ca787b8b404315e49d3af0

SHA512
dedf9a6400d6615558d1aba906cf281f29f9523bb7544f5fac3e36bc86812140c2804d023c9ff963b8d87fcc23ddc73f01e3acdd56cbb32c24fb1a1388022565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
25684fe34901848588960b5be6d7a52b

SHA1
fe4d954e4050b372282c6f8f87180c4d6469c65f

SHA256
f604a28557aa93dc37a8cfb103e7cdfdcb44b0b185edc45cd2f15e0cb7318a83

SHA512
401f4c9c2e522a7622e012f7956cd57c15e5350d43495d2a660e7819ebe7f1153d96c276c78c6a08740a6bd9e8b24e299a056f1b88d923605e488d34b927a08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8bed281d17c3e4187b64beefae1b2d36

SHA1
e4a9418eb66491352c46bd996e3b6374381975e4

SHA256
fc8d72de7d783cec5149550d4af3bf544478db541da002f5de5d41c9e8ac8278

SHA512
e609348af8cd130ab4351d5b41b0b0c46b9f3e929cbb344331b8c39a017c8ce0eabcc4bdf6051e548ebae5c9589f41d38324e2899dccdbafce0568bc9b0e8276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
008ad3b993ccae0b432ddf6ee4ca7226

SHA1
0b2d24c94cf0cec9477f63d77fa0295c16003301

SHA256
81dcf8e749939fb59d1e205077ba0523bbfc7ecc6d2d4abf654d222a87e3b846

SHA512
d1777ce0a6e0804357affa7f38d940aa7c8d0bfb5ef9cf14a963813fdb1fc9e3b12bc8b856539a767235a346906a413fe1afde49bf5090eb1676dea7707bbea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b4e78014fcccbfdd61992d6066541156

SHA1
60091f4e557838d9a10fe2053f652733f7f631d7

SHA256
c3d9a16847a8c93b3847781d36128170063baca9c283503711bc5ed96858edde

SHA512
6f565f1b09f9e5f245f7f3dc4ffe59620b411ab4e1dbcd463591828fb2668edcd216e19f6f64be9ee9c72b716f5ac25fff6380ff872e376d94351eaea79abd66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
e3641376d8488f5f215ad91dd74cd647

SHA1
20e2aad4f60340c0923daaa3486cd1794d00181d

SHA256
162ee9f2eb52b44f50f370c6d5b1c1139a44a83c9971a8a8dd6f54f56245d791

SHA512
2b766118f3bfce51772dd0dbd882ac50166b236aaff23f8a25e85132b2dee4e8e6f8902ad6cf2c1961f10ff1355a29ff25cb0e8924cc2ebfb21f413f45b3ca9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
568d8d29a803d4b34695d3ee992ec666

SHA1
0646094c969f15192a4cfe5944b1c2e6cafd4484

SHA256
ba51ef81797c41489ef79f32badcda7348179bfde7ae6806289107add2553ac5

SHA512
40ac9692f417a16aa1024a1a6574fe6b653f2db580e90b249b7fbda17df2234b112ae787cf969e97bc95416f29a2244ea8d78890dc18c8c09649c13f4fd86a56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
715f3f959ddf46738afd527ca95f4789

SHA1
8be91dcdedfe6c77d5d8b834047d98b89873069e

SHA256
19d3c9d3a0129cab565ae72ef9cfd3c7398360afb5bc56938565f04d62baf32e

SHA512
3b4610d5c01f40fce98a411142ab3d83d967697c1df6fe292c6eb9c1231d9f49fe9f6c53275c7c5f6bd87e1a20910dbd4a454615d60b375de16b7c178c926733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
58f929a29fb6fa201b1db08c32df134a

SHA1
d3b47ded25467e618792d9f547c6b983c090a041

SHA256
7435596e84a7255d3ce7ab77ba2db21f292fcbd23ab8b8d29e5e0b6ee4958056

SHA512
74f200db13653991011e5d17b505e404a45cfb28860b3fc40fe5199440bf8d939877931b7ebd26502dc3912d17e72d8b17991db74b8c77c181491d777a9d67cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
127KB

MD5
e31869870334d48759389aaa07d595ef

SHA1
777df9d3bb5ee29bfe8e9b85b5c7d7d8e572a7c3

SHA256
431747496a2072a3ed4b31b43192781d3d959dae2ed67f30a904d1335f5f831b

SHA512
4932fed1ce72c7ab5ca5205743e3e6f95e6f4c37e17105afc850b0ed5858399d3f96ba1ceede77f4906bffbb363d9b87b146d16bd1bcdf9165d50e6538b149ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
af6217204bc4a743b4df27975d4bd554

SHA1
3cd9a9517b8d1d43eba40182cfb0cd3056f696df

SHA256
4dce58461ef5052e1f9b005ad82228fdbafae1679a2d473668a5e284be01d1bc

SHA512
fa0ae7dbdf45af13345bed03b58047e739da5195abf798a2304de9eb8e2a669ab6be9ae5a2e430fb4423db9f417a3c10298ea53e023f25be3376a1edbf0cb0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
694f109f8cdbdfc1e5abac8069b1a623

SHA1
49b1b4ef6aacac9f1ecff06d1bfd3735e201f159

SHA256
83faa3fbb9560ae084b75bdf056639a284379ce8ace68f77e8d123d8206ef5fc

SHA512
5e6ccb0e275175e34317b1abdd026cb5e911424d483ab5e683494196ab2273a8faa577d5ebc23eb9207fdd8057828b371217ee74298d5d4187f2ffb2bf7eee29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
7325c6de04e37760026d00300e11a13a

SHA1
36733a0adeb992f9d6e514e4ed0137c92ab55e49

SHA256
29a2b8e39b4746db149be025e3122fd2294ebb4eadb05d8b64ff6b30620ce8c6

SHA512
02b8a1712ab38fc4a0e2fa02603ee42f189b1682e986912868470d2f6495fbe6296aa896e86895fa2e35f0bac5f9269c194ac8465a3a2748a2f2e8e481ade912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57b3cf.TMP
Filesize
88KB

MD5
c5a3b38c7546ffd7d9b212c395fa6ca0

SHA1
270cc4609b6ae800523b3af21526179bedafb1e0

SHA256
813b8fbec55be619220da92eb5bef50d1c591189fd757c2c19ab377d93d47faa

SHA512
4b80401b1c62745ee05f42b932a56485e0f991498ae040280b9f56819f00abeef99f3225318a43f7f8dc84f5d25142a7c292e7fbfc7562d91c79b060e8754584

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun
Filesize
8KB

MD5
f22599af9343cac74a6c5412104d748c

SHA1
e2ac4c57fa38f9d99f3d38c2f6582b4334331df5

SHA256
36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65

SHA512
5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E29DF40E-53E0-48C4-9259-06483918A713} - OProcSessId.dat.fun
Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
9.1MB

MD5
614ddaa0064ae46e23143440443c0c2f

SHA1
81286a5037add7376766b2a31e61f6d26bb99b5a

SHA256
f71dbf777ccfa1febadae9e7184df86bb009b6000439bc8b16af71be4c804992

SHA512
d20c5475ba1f9c73034131a4f9c73748d84f68a9d60687367a1677cb5cc324576691850e15cc9a20a7b025bf34349935c57c44f49b47e62e4df47596a29ea620

Download Submit
C:\Users\Admin\Desktop\@[email protected]
Filesize
944B

MD5
00133ef27c39167fcd856c5718e49bfd

SHA1
406fb2c728d764ce0a668e21ca516b38bbd908ce

SHA256
a510099637a6351283648c5ac91da1ccb24fc8879aa0cf591293260371c03f97

SHA512
f5cd4d7b036fab4155e60ea6ae8599005ba88d150b4be163e836d4e22bc44975652dec39f8770e10286aeae6ebc4e3b6ed318c8eedd9a740ba08f0ccee60b61a

Download Submit
C:\Users\Admin\Downloads\Ransomware.Hive.zip
Filesize
6.6MB

MD5
33dc6cf9108fa7a395d632c29021791c

SHA1
61ccffbfb8f2458be139aa1d3c9dd715f25cd06d

SHA256
af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

SHA512
5b7206cd076e313f15a13c4f6278ea80c109577530bc43614efc631aeb8b53f8b0abba1135298ba6b6b7fa2f19321ab673b257d3b4c0cbc95bd4c50c8040466d

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip
Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload
Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\191751713902009.bat
Filesize
362B

MD5
fe9561e52b9a2cad33eaa33fbdaee8f4

SHA1
2bc1b267837017ec84edec64e2ed5ab787a59793

SHA256
6cf7e177e05490a3326a71f20a6640edef1d92936601969df22b0ea5261b1d44

SHA512
e734e185a32b0d2109cb666c8bf217096fffb9804578b97d8b108a7edae01ab129c7e6bf20174faf67c5ec493e9ce0e98d85381017fd3b879fe7232a36430261

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
Filesize
721B

MD5
f37ceb7726f2972ec942ee1589334854

SHA1
fff3d585de1ebb07792e7bf0ceff847f8d0a8e95

SHA256
2a8e73575408196e5b125267c6f47336cd1b82345c22adbcf9e7095284776753

SHA512
84e5f2bcc9d6fa51ef2c33ebe2e556970e5978be2f5ffc1998e2df609df8194656e0df5dac8164ce60284625b737de7f7e57267d028feba3c079f4f36589c134

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\m.vbs
Filesize
241B

MD5
cb8af050def8bd8ff07b6fece0b09530

SHA1
8faf2a240203f7dc8739952672c788a0fb2df973

SHA256
c97d8fc0de558b033cbf088ef69122addd364e65a49111aec218465549bf1227

SHA512
5ccb09d7e199f31e4a9a92621755c6514e8aae6187b6bef8aba2b6644834776941401188646dbf552639a13124285de15b18e6ff12acb57f91cb7d204cafdd57

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\u.wnry
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip.crdownload
Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit
\??\pipe\crashpad_3088_SNXRFXNQGXDWKOPX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1924-5433-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2395-0x00000000734E0000-0x00000000736FC000-memory.dmp

Filesize
2.1MB

Download
memory/1924-2460-0x00000000734B0000-0x00000000734D2000-memory.dmp

Filesize
136KB

Download
memory/1924-2459-0x00000000734E0000-0x00000000736FC000-memory.dmp

Filesize
2.1MB

Download
memory/1924-2458-0x0000000073700000-0x0000000073782000-memory.dmp

Filesize
520KB

Download
memory/1924-2457-0x0000000073790000-0x0000000073807000-memory.dmp

Filesize
476KB

Download
memory/1924-2456-0x0000000073810000-0x000000007382C000-memory.dmp

Filesize
112KB

Download
memory/1924-2455-0x0000000073830000-0x00000000738B2000-memory.dmp

Filesize
520KB

Download
memory/1924-2454-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-6043-0x00000000734E0000-0x00000000736FC000-memory.dmp

Filesize
2.1MB

Download
memory/1924-2400-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-3260-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2398-0x00000000734B0000-0x00000000734D2000-memory.dmp

Filesize
136KB

Download
memory/1924-2396-0x0000000073700000-0x0000000073782000-memory.dmp

Filesize
520KB

Download
memory/1924-2394-0x0000000073830000-0x00000000738B2000-memory.dmp

Filesize
520KB

Download
memory/1924-2392-0x0000000073830000-0x00000000738B2000-memory.dmp

Filesize
520KB

Download
memory/1924-6038-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2696-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2715-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2727-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2958-0x0000000000850000-0x0000000000B4E000-memory.dmp

Filesize
3.0MB

Download
memory/1924-2963-0x00000000734E0000-0x00000000736FC000-memory.dmp

Filesize
2.1MB

Download
memory/2600-2326-0x000000001B8D0000-0x000000001BD9E000-memory.dmp

Filesize
4.8MB

Download
memory/2600-2324-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/2600-2322-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/2600-2336-0x000000001B330000-0x000000001B3CC000-memory.dmp

Filesize
624KB

Download
memory/2600-2355-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/2600-2323-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2600-2325-0x0000000000E30000-0x0000000000E68000-memory.dmp

Filesize
224KB

Download
memory/2668-2690-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2668-2693-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/2668-2692-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/2668-2689-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/4704-2688-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4704-2354-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/4704-2687-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/4704-2356-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4704-6033-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4704-6034-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4704-2359-0x00007FFEF57D0000-0x00007FFEF6171000-memory.dmp

Filesize
9.6MB

Download
memory/4704-2410-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/4872-920-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download