Analysis

  • max time kernel
    443s
  • max time network
    432s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 07:25

General

  • Target

    https://dropmeafile.com/#4da74a3119

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 24 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dropmeafile.com/#4da74a3119
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee7ce9758,0x7ffee7ce9768,0x7ffee7ce9778
      2⤵
        PID:3192
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:2
        2⤵
          PID:3220
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
          2⤵
            PID:2364
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
            2⤵
              PID:3432
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:1
              2⤵
                PID:1176
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:1
                2⤵
                  PID:1160
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                  2⤵
                    PID:2444
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                    2⤵
                      PID:4396
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2620 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:1
                      2⤵
                        PID:1796
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5536 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                        2⤵
                          PID:2592
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5524 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                          2⤵
                            PID:828
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                            2⤵
                              PID:3288
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4728 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                              2⤵
                                PID:4224
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3176 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:8
                                2⤵
                                  PID:4744
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                1⤵
                                  PID:4340
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:212
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:1432
                                    • C:\Users\Admin\Desktop\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
                                      "C:\Users\Admin\Desktop\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:700
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c 277271716017239.bat
                                        2⤵
                                          PID:2104
                                          • C:\Windows\SysWOW64\cscript.exe
                                            cscript //nologo c.vbs
                                            3⤵
                                              PID:3636
                                          • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                            !WannaDecryptor!.exe f
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4924
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im MSExchange*
                                            2⤵
                                            • Kills process with taskkill
                                            PID:4356
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im Microsoft.Exchange.*
                                            2⤵
                                            • Kills process with taskkill
                                            PID:1688
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im sqlserver.exe
                                            2⤵
                                            • Kills process with taskkill
                                            PID:4388
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /f /im sqlwriter.exe
                                            2⤵
                                            • Kills process with taskkill
                                            PID:1548
                                          • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                            !WannaDecryptor!.exe c
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4956
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd.exe /c start /b !WannaDecryptor!.exe v
                                            2⤵
                                              PID:988
                                              • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                !WannaDecryptor!.exe v
                                                3⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2920
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                  4⤵
                                                    PID:3204
                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                      wmic shadowcopy delete
                                                      5⤵
                                                        PID:4536
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Sets desktop wallpaper using registry
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4424
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4268
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3664
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3088
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1260
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1544
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4344
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:968
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:2400
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4404
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:5064
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3724
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4028
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1228
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1740
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1084
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4384
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4716
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3364
                                                • C:\Users\Admin\Desktop\!WannaDecryptor!.exe
                                                  !WannaDecryptor!.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4488
                                              • C:\Windows\system32\NOTEPAD.EXE
                                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
                                                1⤵
                                                • Suspicious use of FindShellTrayWindow
                                                PID:940
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                  PID:3320
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe"
                                                  1⤵
                                                    PID:4156
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /f be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
                                                      2⤵
                                                      • Kills process with taskkill
                                                      PID:2800
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /IM be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe /F
                                                      2⤵
                                                      • Kills process with taskkill
                                                      PID:1628
                                                  • C:\Windows\system32\taskmgr.exe
                                                    "C:\Windows\system32\taskmgr.exe" /7
                                                    1⤵
                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                    • Checks SCSI registry key(s)
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    PID:4556
                                                  • C:\Windows\SysWOW64\werfault.exe
                                                    werfault.exe /h /shared Global\00ba1acc5588432eb5f91255f3d5d8f3 /t 3892 /p 4424
                                                    1⤵
                                                      PID:396
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                      • Modifies Internet Explorer settings
                                                      • Modifies registry class
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1828

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                      Filesize

                                                      336B

                                                      MD5

                                                      044f964e447589507396b6d051700a01

                                                      SHA1

                                                      fff91c26e4602a1da446a4acd2dfcdb24d22c435

                                                      SHA256

                                                      be64bdc41ecc3006c01c0e8778c83418919a41d75f8e7ad616b1dcd9fd96d4d8

                                                      SHA512

                                                      ba54b17b997fe483fa5a87b3e55699eab1d9f0d61ce4c69b47e3fe5639edc822d0fb4387af6a0918ddd763c72aa8e5f0cb6f37fee4bb991327ef5a9928768f10

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                                      Filesize

                                                      264KB

                                                      MD5

                                                      1a18c6516286196cf050a0446033a656

                                                      SHA1

                                                      c364027fa9114c65e54358cc3fae74a94e7bf4b9

                                                      SHA256

                                                      23eab7531cc8d808055db1751b0f91f8bf3c105776d47bbd4fd29483725c3e0d

                                                      SHA512

                                                      53153865b6b2ec59c819bf7b5bc31f6b9b5e6cef6ca9262e8605c8553269aee7f7e84f6c0996fd07d3630663852326b06f9ba2fc778901b63e55b46f15f7b8e5

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      d55fe63a1706f2b4747e08111ea64a4b

                                                      SHA1

                                                      09b23fd0c36bd16621603ad39e9359fc07463f7e

                                                      SHA256

                                                      9dcb7cffd6197b4b9d8c172065fd45e23a094b2306aefee9459dde1bb6b4e638

                                                      SHA512

                                                      bb822cee519cbfe3e10fc237b4a638411424ba41fc7024982cb875291d1ca3ec03a363dc9738fad51835962ab771893cd3cc0d1426d82422d1320e4b3314e2a9

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                      Filesize

                                                      870B

                                                      MD5

                                                      3210a113f188445a0ec71a1cdf9a7fe1

                                                      SHA1

                                                      c12abb56c0bc7b77fd7914d8c0d351abad82cd3c

                                                      SHA256

                                                      c75a3b598b1372b2fc47d3ce1859fef163b8483729875f6fb501d824572060b7

                                                      SHA512

                                                      fc87166ea079598451ce40c461fb40a2fad72f04aa7d777fb08f01bde7f099b4cfe7e7a815a1c19f7bf3079b2cb7a1590587e9f945c2a494bc42c2500fd02963

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      03540582246df1f97dbca0ad891bc03f

                                                      SHA1

                                                      3f0bba1175ffbd00ac357313e17ea33b10d2ad1c

                                                      SHA256

                                                      27af1df2a1f3423eddc99f9bb83d9e88ceb1ea18b9c23ca0e323bdc6ba8dafcb

                                                      SHA512

                                                      97d066f82d1d8c6ba6e3f50c5593fd8aa1b146bcea6d48888b016b15299b5f7905e8157fd4f2508ac511846435794ad8f93706e79ec551a2e6d1d613bbbd7f70

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      763aba1855c007f0e23457ad2d476247

                                                      SHA1

                                                      b81eb574a3d333bc1ba46f056189af8a6892d864

                                                      SHA256

                                                      748067a4fdb8f1ad0e8f956ae4e986063abe1b186d7e1c3717e8b319b5d430dd

                                                      SHA512

                                                      9051ccdbd26ead8238591f63829e0c94bf42847cc125a2c9ec3114fc0adf065595d5fbffb6bfde72f7dc82adf7a0082cb6900ff6958a1bd53091b5110dbec475

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      d99f705b8b1fc26f960361c3007cce54

                                                      SHA1

                                                      8d38e702941e00d32a352f0e86da002e2591d790

                                                      SHA256

                                                      5af1235a35804321783b611838333da2e6158ebf2d7d498f76a97e429948bbf1

                                                      SHA512

                                                      73944aa8ee06d8df26473f632dbfa94432d20a2a96f75cdfdbd2abf0fd11b22d66978e2c9182be00529a051ad0c3d0384023fd35aead11d89677c1f13d6b3e09

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                      Filesize

                                                      5KB

                                                      MD5

                                                      bdd768e4e71ecc776c3ca9142cfe8a96

                                                      SHA1

                                                      a22522804bc87169fe66499d09b7fd0a9baca3b8

                                                      SHA256

                                                      0577ebb876f637e752b35c98552fd3a5e695c02eed866ae3dd08bfbc7dd8303b

                                                      SHA512

                                                      6d487834ac70ffa130f3dc083f47be328af3405c53d10cb38e275a98f3d8185ac1686713d80b8012d9f56567dd3bdd43d360811e0ee2292126c0cf2e25f64a5f

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                      Filesize

                                                      128KB

                                                      MD5

                                                      6a26d08ef255693260b6f46022976471

                                                      SHA1

                                                      4fcf4e48df0609f7eb60693a98cb15f80ea9b39d

                                                      SHA256

                                                      4b4b53944fb121a8fb2319dbfd51b87282a4171b076c45c6a404093cc422450b

                                                      SHA512

                                                      dd07e7c048c7fcd9f1236e88176e77009203c047cae6fa8befcb58224f1babf60f30dd9400044780faa9267607cc03853ebe927ebe956c1d5392a57e282c86cc

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                      Filesize

                                                      128KB

                                                      MD5

                                                      c9c97aa87c071f3d5881de862873a7af

                                                      SHA1

                                                      1cf37578f0f49eb92017a35cfdceec246e8dd97e

                                                      SHA256

                                                      9eab53d71733ab8a4a6fb2af4f60d0238a47ff3edf0aad369c29af231820dd3a

                                                      SHA512

                                                      6dbabf23eb9ea6c57c0878dbe7c84e8febd96fe5f361d9d4d84fd349008fa4db8fc124d8f0b3e63b9db6e5d22acaab8ae3f98202efaa744605c6b15a85ba4e0b

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                      Filesize

                                                      128KB

                                                      MD5

                                                      9b17ee5b82c75ea274f36eab829eb137

                                                      SHA1

                                                      320af61debfbfc7c968e55b832121756cb7c9914

                                                      SHA256

                                                      e10cd56c1146e3210b745a522b7136176b50f7fd0dac980faf08df4d81e0d62e

                                                      SHA512

                                                      eb2f34ccac29bc02565504092e7d6c9bf4c26f125e967b5fa7911bccc4cff599200504667f37fe0eb1955437f508977f392c6681b4e4cfdb990b6f87a1a899ce

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

                                                      Filesize

                                                      6B

                                                      MD5

                                                      84b1c5ff6f1b1da82df3ed3a20ff9211

                                                      SHA1

                                                      1c13a7bf24213cc6919c9a419c792b963457a32d

                                                      SHA256

                                                      40060faf469d2cf91572b5db3ff8d5b5070bacad30c8fbdc13193901be5bd1a5

                                                      SHA512

                                                      4ffc3f2ebb4a401f02fc17d4e420e0b87acc3f3f6562282a7eb5fda3fd44b4971586683cc67eedc993f246b97f72b1e503cd92694636e05bd8e3bbed2e6d0dba

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                      Filesize

                                                      2B

                                                      MD5

                                                      99914b932bd37a50b983c5e7c90ae93b

                                                      SHA1

                                                      bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                      SHA256

                                                      44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                      SHA512

                                                      27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                    • C:\Users\Admin\Desktop\!Please Read Me!.txt

                                                      Filesize

                                                      797B

                                                      MD5

                                                      afa18cf4aa2660392111763fb93a8c3d

                                                      SHA1

                                                      c219a3654a5f41ce535a09f2a188a464c3f5baf5

                                                      SHA256

                                                      227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                                                      SHA512

                                                      4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                                                    • C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk

                                                      Filesize

                                                      588B

                                                      MD5

                                                      1aa901ad6a69456fae0b48130472f749

                                                      SHA1

                                                      8fa232b17e1c1b8aeb1acfa8e36b79b4aac21899

                                                      SHA256

                                                      b3b89c00ab6b3adba1c3c01586cb5806ba46613f1fe7f913ca9f40cc2944de56

                                                      SHA512

                                                      668ab147b1b36c6067931823b978e59e6d3715f5b42c46677804af01eda4618dc6cefb00bd0c8af34d50939612fce52001f2ab53c6e4a4e44c70f329ad8dc7d7

                                                    • C:\Users\Admin\Desktop\00000000.pky

                                                      Filesize

                                                      276B

                                                      MD5

                                                      ed63d946db84060a48d779749d5f2d95

                                                      SHA1

                                                      6889d4adad06bf1383335f1a25a82bd152d4b855

                                                      SHA256

                                                      4b0034ea9c354826f6432a415f6dcc376940661051fb5a06b9445eb061b98310

                                                      SHA512

                                                      beb81351f1fd56baa9bd09095512da0ed41862449d5d1e81f8c9eeedd33bf52ea5567f33f7b874544b77f7b96b78c6a3bf796395fb0310a72fd82ffaa23aadc3

                                                    • C:\Users\Admin\Desktop\00000000.res

                                                      Filesize

                                                      136B

                                                      MD5

                                                      a14808a85d19d10034dad9c96678dc2d

                                                      SHA1

                                                      92062322d726503943d29494c2358362dd75719c

                                                      SHA256

                                                      a74ec0734c269c66d8b52ab32e34238b0a70180fbe10790efe805a2b960cd188

                                                      SHA512

                                                      c84f6c3a23f521d5b51048c8ed302ea2a484ebcb729c5df574948f60694ce2d1f6b2bdbd81fa1350af6a28ea78e94ae2f12c8f2d2329197d3dee816a9d6f4953

                                                    • C:\Users\Admin\Desktop\00000000.res

                                                      Filesize

                                                      136B

                                                      MD5

                                                      7371dcb9784da7a6b94b966a3501e0f8

                                                      SHA1

                                                      0ed30a74893e5f98a47de274e35e6355cddb1675

                                                      SHA256

                                                      df758a687d13f1f033164bbd4e97aec03f7cf61d0e61cc97719cc51c6263fba8

                                                      SHA512

                                                      8ac05c3a2faaef4e1f48ebe7d03f06cfe12ce8a5f9b83f5dc7fbc48b9fbc2e6a6e649f436fad620a48cf1dab8b7e7370fcaea987bd369ea03d03f88d73230021

                                                    • C:\Users\Admin\Desktop\00000000.res

                                                      Filesize

                                                      136B

                                                      MD5

                                                      4172c5d71c5e23883a4c8bb4452f7e5a

                                                      SHA1

                                                      6d08f2327f38903e7a6b855f6374a557f6ed3afa

                                                      SHA256

                                                      b72d12e2bca26f87bc35795cfb16ec0bb420fe34f437d66b00bdcaa28ba9a85a

                                                      SHA512

                                                      7c211f0d05b7c3cfb5ef3b0494df651a305b29e6c26a2beba8d80cf73d19df8af696fb1184ee51f166be4c335074172a7df8a41544126a3b4efbfa0bcd371afc

                                                    • C:\Users\Admin\Desktop\00000000.res

                                                      Filesize

                                                      136B

                                                      MD5

                                                      cfd185663a2ade86982975dd2bb7b2c3

                                                      SHA1

                                                      6473b2c8ba090f3360261c785b6e72b978394d1b

                                                      SHA256

                                                      101c147b9feb4b2e1cef0a5e01d4e24cbf45a8344ac0dcae546f1fcdd469945a

                                                      SHA512

                                                      c13b8aa235ab03171c2afaadd62073113323dc212a3f9ab007d877634c38d261e7c753abef03657b4a48440748dd41ca8fcdedd51e81806242d4a8a49d595744

                                                    • C:\Users\Admin\Desktop\277271716017239.bat

                                                      Filesize

                                                      314B

                                                      MD5

                                                      a112cca9dc4d4389853960a4090375ee

                                                      SHA1

                                                      a41ef3b4ca3e316d1bc4095aedf80b07ccc2d045

                                                      SHA256

                                                      16cc3752392a4575db02c89c72f0808bd7e6b37ed5c69490a248b9309907c7b3

                                                      SHA512

                                                      470af17cc72848693327b30794a6f6d00ae77693780645259b5ed02256e3b1a9dd895489eca7e6a0dd558ce40e6e18ee3c3666fe0119935e6a1ca1bcb7e0ccd0

                                                    • C:\Users\Admin\Desktop\CloseUnprotect.exe

                                                      Filesize

                                                      359KB

                                                      MD5

                                                      7db52c773aa4cced07e0e764a525f35a

                                                      SHA1

                                                      f13f80df32828d69e0c1b48d6015a672d095a795

                                                      SHA256

                                                      67b8afc36c3a5c452d2d452eacc7d68ee1f4d1f711bba00210f4fbe5e4be2ee1

                                                      SHA512

                                                      2a60a85cb81607cd961a0e76351b100ba0c74fe899024166f40bd1fad190e87082109fdd0b7f5c8f807b1a0c8c74347ca719ec8686e705d0051d2de612a0164a

                                                    • C:\Users\Admin\Desktop\CopyEnter.3g2.WCRY

                                                      Filesize

                                                      429KB

                                                      MD5

                                                      4c0190cdd212673cdebb8fb0c3c74ae9

                                                      SHA1

                                                      cb19418e4566f1e173ff197bb4354ef5eca9de4d

                                                      SHA256

                                                      0a3e92eb50af535a977621edb7225bb292137c00b7a0c62ee703c46602184f18

                                                      SHA512

                                                      b66ee78d75fa34147f180eb5d3b4209bdd9a1dcfce0fc92d11784d89de0404eff1691e6926ef03e0008ab1d4e3ce3f6ad5db4252b4146f8499c07f4ce1f9516b

                                                    • C:\Users\Admin\Desktop\DenyBackup.vbs.WCRY

                                                      Filesize

                                                      592KB

                                                      MD5

                                                      aaee51e61d322426de330fd4407cc595

                                                      SHA1

                                                      010ea6644266ab1e89f681e4c169143fc200cf76

                                                      SHA256

                                                      dcbd6dfaf2fefb2e46f4bc984866581fceb3db062b62302819d43a5358199010

                                                      SHA512

                                                      90a9eff33a6eb5f0e555461768a1e6e8bbcc81ba302f716ebfc5a734965a4e35de835155291757c3d0ff953416c3551511a1d432747b3b5787b37cbc252a729d

                                                    • C:\Users\Admin\Desktop\EnableInvoke.dib

                                                      Filesize

                                                      568KB

                                                      MD5

                                                      b9e4996c4d5c637960236c93d7184410

                                                      SHA1

                                                      405a85d6143da74f0ce96f9497e4db9eb5c5c193

                                                      SHA256

                                                      4df48ed1dad854a2275fe2150cf270e7aa4774be47a812cd51c1671b1a62769f

                                                      SHA512

                                                      a5bb16c612151845526614d61434f657408dd8be3af87397d6b3f487ff7b1d153c46a36154ed695c4a4328fb1dd849a21b59695e3b200694c9964e55ed883375

                                                    • C:\Users\Admin\Desktop\ExitWatch.xls.WCRY

                                                      Filesize

                                                      406KB

                                                      MD5

                                                      f6f13a7998be64489c819e97f9c3f201

                                                      SHA1

                                                      55c0e1a76d4c491c3e064f03019a808d4b30e950

                                                      SHA256

                                                      f8b4c358c61c4f8543b38f46d04c0663e4d6faa67022d8631785e898aceeedd3

                                                      SHA512

                                                      5d0f5fc1605783095b56fe9a70047e8e6c621e0bf644acba260e122425dcc9eba5f4de06c4e3e269068f1533872f9df58b47816d92697bd2d591a35d65aebfad

                                                    • C:\Users\Admin\Desktop\FindOut.vdx

                                                      Filesize

                                                      661KB

                                                      MD5

                                                      38146d5fdee41c1509300360811f69ec

                                                      SHA1

                                                      46efabd4d6b4e64e6d19fe6dd5f217879d7a7e95

                                                      SHA256

                                                      7254e1507c2664ddfe8c64d6dbed56d440f56fc1d7fdcced8ad17b269122ea2c

                                                      SHA512

                                                      78de66d5f366607913c9b38661bd7d4ecb9b0cefe5880ea86630a28a921031e81924936c4c15ce700db24f29abd39b5718f870600b54160adb34986f56174363

                                                    • C:\Users\Admin\Desktop\InitializeReceive.cfg

                                                      Filesize

                                                      383KB

                                                      MD5

                                                      49bc0ae7f7e30447d41e15b0bd765cd6

                                                      SHA1

                                                      e8e09d2077f9c828422e3572228382b5d6a8aaad

                                                      SHA256

                                                      99aace32f6285a7ab0d4ef784a774f8c231d105b89da6a492a168c40e281d9ef

                                                      SHA512

                                                      07b3ed56ba4f03893f40bdeb479e4fe18e8e7bdf4fb2b05f49c044b045447e865b49b703e305586054b3634637b80837cb11020128fc1a801beac30eab3057c1

                                                    • C:\Users\Admin\Desktop\LimitConfirm.potm.WCRY

                                                      Filesize

                                                      685KB

                                                      MD5

                                                      8475c968a14500a694536378a9a2aa13

                                                      SHA1

                                                      3c900646b1309a238fe82b51af22b3d36eff69c2

                                                      SHA256

                                                      5f412070e47609b5e2c9cff0b3f8fa499403c035b82294d362311d556eff16e4

                                                      SHA512

                                                      564dfda78a11e53f014b1162e15c9ac4136101c767874c41a265d2bcdb08fd380f34d228d0bf6744d83daedb08549111e114ac4724e7c7a55a9f244d11063f70

                                                    • C:\Users\Admin\Desktop\OpenDisable.mov.WCRY

                                                      Filesize

                                                      476KB

                                                      MD5

                                                      480edd8581310724f1cbc0942420e4f0

                                                      SHA1

                                                      df0ed462f5ca52b7c5873ba65a620b0497c4601c

                                                      SHA256

                                                      527d1cfb9fa713bb96b31efc4b0de0d77f8f72ede1c8d46d767fe530f2c295b1

                                                      SHA512

                                                      a72778bfe1aadbc6e67ac179fbc5906f1c08ac0749bb583ea8081b375604ef67bec25d4cc27bd5e02c5cb849d489d3e629310baac5720e5ef1ec357ffb960ee7

                                                    • C:\Users\Admin\Desktop\RedoRename.mht

                                                      Filesize

                                                      452KB

                                                      MD5

                                                      f97aaf7cf5ac486573a17b1da5690c86

                                                      SHA1

                                                      cf2914e5815fec4c47669008cdfcd2477fa0b965

                                                      SHA256

                                                      d35ca796415ab64b1f824749ffa2bdfadbc7b1d6ec3b13e4d46bb8c84114b051

                                                      SHA512

                                                      f0dfa6beb05ecdd48463811a79b284b5552263b1d4f37444afba33d3a4e2673f076c818e53ea216b04425669446b0abd10c61db6954af4f6fe91f925648e422a

                                                    • C:\Users\Admin\Desktop\RegisterTest.m1v

                                                      Filesize

                                                      638KB

                                                      MD5

                                                      9e6f3c5b4fe606248b973962b137d175

                                                      SHA1

                                                      bd60fac173582137ee29ffe95abe36c44d49bc8b

                                                      SHA256

                                                      4bca27c0bdbf9895edaa84492115226e11a30ea3d22bf9b578bb3853666a3b17

                                                      SHA512

                                                      8d770307ca7ce52aacc437a74d4ca869be26bbec3729f8ac0fabeb8e67b22c0f9d2e3a4d9d5a720731029d0f0da047529c729555c60940c4a7224627d7edb0a8

                                                    • C:\Users\Admin\Desktop\RenameExit.avi.WCRY

                                                      Filesize

                                                      952KB

                                                      MD5

                                                      d3cf7a7619038f7455ca73c1400072c5

                                                      SHA1

                                                      3161b58437044796c79215802dc9f6d0d8b3c4a5

                                                      SHA256

                                                      0751e15074712502e989009a00730908f3f5344361c1115a7ae8acede6cdf45b

                                                      SHA512

                                                      6cd355521f081453b8dc5e329d4e2b5af05864847e66a1799b7fecc63e33209ce0d3766b3fcaa4ac66fea57a4934178502d4f5d4347c249477bec8b6d384d5df

                                                    • C:\Users\Admin\Desktop\ResetLimit.html

                                                      Filesize

                                                      545KB

                                                      MD5

                                                      8c60f6f755830c85356a24cb29d6c204

                                                      SHA1

                                                      a48725171f982f7d7415e7d02b46025a46c4baed

                                                      SHA256

                                                      848c4a637557643e5f795381752b194d161c0db9bdad61763664897efd3c5da0

                                                      SHA512

                                                      e54e1c89724538b18187c09afc2c179f559afb676251b7217fada7b36067276fd81aa36d804bb2edf2f574dc6a5095dcbd77f5dcd7c42016934b325abd7edce8

                                                    • C:\Users\Admin\Desktop\ResizeComplete.mht

                                                      Filesize

                                                      615KB

                                                      MD5

                                                      88c94831c7d0e785c38228604630d64b

                                                      SHA1

                                                      6f8953bb1bca6a2df214eb27add865b7a67684ee

                                                      SHA256

                                                      29ed4daa91535dbcb7d793199f494931ba2090548ca42a192e730770062d9140

                                                      SHA512

                                                      83385bd9818433a82935e59fd2b7984333f1f4fb094ba41333f6f314b99d9d1410edc3910a70b78b82d6d077256ff88d496087ee9d3dafdf49c9da587af24f5d

                                                    • C:\Users\Admin\Desktop\ResumeClear.sys

                                                      Filesize

                                                      290KB

                                                      MD5

                                                      eb46354b0906a7887de4b132912d62be

                                                      SHA1

                                                      37d63d75a8fd91b691ba69dce107d61dd2d9a802

                                                      SHA256

                                                      0d0e7e2d528515ac94619d0d8d44adabdac88d534a91063dd363f08bc48707a7

                                                      SHA512

                                                      b63d921955fd4a3111967829ae4e9b35f456ef2e6eee6a01280decc521b81c99268d950ddb81638754f075b86f365b5e3f2814fd0399436a1b80e344dc8e35e9

                                                    • C:\Users\Admin\Desktop\SendInstall.wvx

                                                      Filesize

                                                      522KB

                                                      MD5

                                                      faba6fc5af53edd6133a82f2264bfb8d

                                                      SHA1

                                                      c568216552370cc2c0db4d1de445624c5ca1a03f

                                                      SHA256

                                                      cfdd4be31efeadc78b7c79a78abc992806eee0d55dbf50ccd47c310ad3b47ca7

                                                      SHA512

                                                      1240f9df217f0e241402c893790876484e04dd9bf8e57d90e15a1417df2b4069e870be08f9274cfd87930f9222c4c15f42d225f9e803a85b1fe1723ca95a851a

                                                    • C:\Users\Admin\Desktop\SplitExport.wmf

                                                      Filesize

                                                      499KB

                                                      MD5

                                                      e3eea12b51db25db2e71aa9ba0d32026

                                                      SHA1

                                                      669565c0704c8b7e1799b6efd756357552c7f065

                                                      SHA256

                                                      864fa6b5b72101706c9697ab9d8d7d1917039945a6a9ab0dd8035c6e114f2162

                                                      SHA512

                                                      d2b42dad8a68a3e0623a12ae5ca00fa7ae1568c0abf77a2d13c7e6c4ea37be09fff5d8912307078c42fa88340a901902a97d0a7f1ed420305388d91b2aaf47d0

                                                    • C:\Users\Admin\Desktop\TraceMount.wmx

                                                      Filesize

                                                      313KB

                                                      MD5

                                                      6e1199455e442fd9bd0dcf997c0faa87

                                                      SHA1

                                                      89f6dad3bea9aee7f2c9f6306d576d49894cd37c

                                                      SHA256

                                                      5df1ab6155381ac0d2e7427addccefc6d4451a3815874611be4d5e6ef97dc3ba

                                                      SHA512

                                                      79fb7daed72b7fe372c45a618b8befc19ee63080d659611209cefa1472775d6f0c77a57c43b95953699c0ad59461116281d275c93b8201602985c55141340b92

                                                    • C:\Users\Admin\Desktop\UnblockCompare.vbe

                                                      Filesize

                                                      336KB

                                                      MD5

                                                      67fce6684d8a241cbf9f44570f4c0247

                                                      SHA1

                                                      f3e79d9ba322f0a1715da9f694b0efebfbe74d66

                                                      SHA256

                                                      9ace8ef0573059dcc7cd69e6e6b58afbbe295e9134d0b04aa0b1d48810f350c7

                                                      SHA512

                                                      db92e14165e46f598eb0a7b0e8a62a838243c14206d0dc2ad3669d64c74caed0f7bd0b72d09a85ab4cbfb3c2d478c264eda7d2696afdfe7bbb012db3101180ed

                                                    • C:\Users\Admin\Desktop\WaitResume.contact

                                                      Filesize

                                                      243KB

                                                      MD5

                                                      f7ff424bf42a7ff0324636b977ef6ed9

                                                      SHA1

                                                      b74f6b8dcb3451a727c32a24a2a28e1096b2c505

                                                      SHA256

                                                      1c46fa427a9254721eade2361905d67c7774cbb3fda332adb9677cf60334c7d5

                                                      SHA512

                                                      012c61ed053f81bde8a8627ccd694fafe16fb223d4944c2b80e589fd95e75ebcedd71c237212bd45bf8b6a14ff91c3493e613a5e561f06435b0fd2dc98f0d36a

                                                    • C:\Users\Admin\Desktop\WatchUninstall.nfo

                                                      Filesize

                                                      267KB

                                                      MD5

                                                      44f28bafcc41981ff8154ec14271e06c

                                                      SHA1

                                                      94b785f8998d2cb90a7947f4ef5f994192617516

                                                      SHA256

                                                      634412833386740deff1b9275bfa186712522c62b1b2d644923e2032abc41a1f

                                                      SHA512

                                                      c86eec2f91fd60cb5d844babaea38dc4fc06e2a51d23f882eb15104aa5a83c371991aaafed7ea4f95f005fcbda9c2de267112a225ad4380d823ec784e35a2002

                                                    • C:\Users\Admin\Desktop\c.vbs

                                                      Filesize

                                                      197B

                                                      MD5

                                                      67ac56e98bdb0c90862e8472916f11ab

                                                      SHA1

                                                      f961a11be9a04743f3e053a2bf46c12b9471fd28

                                                      SHA256

                                                      6e20336f20c42fc21f30dc362dfea245333b195597a42bb7c87143283be8ea10

                                                      SHA512

                                                      24267afc873e725d2c07bf51ce5b7e40026966a94919624baeb0d605770b9e64164948f9330b7e1910a913651b58132bffc76ceb4f0f8a5cecb9a56349bbc1da

                                                    • C:\Users\Admin\Desktop\c.wry

                                                      Filesize

                                                      628B

                                                      MD5

                                                      aa4575a1cd4c84ab72d60eff429bda90

                                                      SHA1

                                                      7362da1fb9238f01e056c66552ab480b4acc6d0c

                                                      SHA256

                                                      73786004072d90fa45d81e23d7ddff9d8f7d5426d490741032a3106f5ebaecd7

                                                      SHA512

                                                      bbf2b58a5856f9440f9852290972b8ae4784c4212b86f1eee6f7f3f4cb0b3e5ce34279b737cec649bad8fa0d5e2862a0dddb282f26df74bfb9a64b47cf64d3e1

                                                    • C:\Users\Admin\Desktop\f.wry

                                                      Filesize

                                                      534B

                                                      MD5

                                                      4b35a56a11f9955cd2a2714770a3164e

                                                      SHA1

                                                      8bfd92fc0c0e690fa2bd005611a63bc29543b8fb

                                                      SHA256

                                                      31e2f5742018a512938319fde1820127815f57a493aad4eb0a8272dc4bf54713

                                                      SHA512

                                                      2c941da857b51870c9d5cbdca875eff6f0c9befa2b28806c2ee94e74b2664238e8b05717359436eeaef703d6e5f7ba3f75882b3223c78fab24959f4803b607fb

                                                    • C:\Users\Admin\Desktop\m.wry

                                                      Filesize

                                                      42KB

                                                      MD5

                                                      980b08bac152aff3f9b0136b616affa5

                                                      SHA1

                                                      2a9c9601ea038f790cc29379c79407356a3d25a3

                                                      SHA256

                                                      402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

                                                      SHA512

                                                      100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

                                                    • C:\Users\Admin\Desktop\r.wry

                                                      Filesize

                                                      729B

                                                      MD5

                                                      880e6a619106b3def7e1255f67cb8099

                                                      SHA1

                                                      8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

                                                      SHA256

                                                      c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

                                                      SHA512

                                                      c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

                                                    • C:\Users\Admin\Desktop\t.wry

                                                      Filesize

                                                      68KB

                                                      MD5

                                                      5557ee73699322602d9ae8294e64ce10

                                                      SHA1

                                                      1759643cf8bfd0fb8447fd31c5b616397c27be96

                                                      SHA256

                                                      a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

                                                      SHA512

                                                      77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

                                                    • C:\Users\Admin\Desktop\u.wry

                                                      Filesize

                                                      236KB

                                                      MD5

                                                      cf1416074cd7791ab80a18f9e7e219d9

                                                      SHA1

                                                      276d2ec82c518d887a8a3608e51c56fa28716ded

                                                      SHA256

                                                      78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                                      SHA512

                                                      0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                                    • C:\Users\Admin\Downloads\Unconfirmed 321285.crdownload

                                                      Filesize

                                                      224KB

                                                      MD5

                                                      5c7fb0927db37372da25f270708103a2

                                                      SHA1

                                                      120ed9279d85cbfa56e5b7779ffa7162074f7a29

                                                      SHA256

                                                      be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

                                                      SHA512

                                                      a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

                                                    • \??\pipe\crashpad_1900_YOKEIVZXOPRNGLIK

                                                      MD5

                                                      d41d8cd98f00b204e9800998ecf8427e

                                                      SHA1

                                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                      SHA256

                                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                      SHA512

                                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                    • memory/700-239-0x0000000010000000-0x0000000010012000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/1828-1660-0x0000015990A00000-0x0000015990B00000-memory.dmp

                                                      Filesize

                                                      1024KB

                                                    • memory/1828-1678-0x0000016192980000-0x00000161929A0000-memory.dmp

                                                      Filesize

                                                      128KB

                                                    • memory/1828-1691-0x0000016193040000-0x0000016193060000-memory.dmp

                                                      Filesize

                                                      128KB

                                                    • memory/1828-1661-0x0000015990A00000-0x0000015990B00000-memory.dmp

                                                      Filesize

                                                      1024KB

                                                    • memory/1828-1662-0x0000015990A00000-0x0000015990B00000-memory.dmp

                                                      Filesize

                                                      1024KB

                                                    • memory/1828-1665-0x00000161929C0000-0x00000161929E0000-memory.dmp

                                                      Filesize

                                                      128KB

                                                    • memory/4556-1635-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1641-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1640-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1639-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1643-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1644-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1645-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1642-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1634-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/4556-1633-0x000001EF3BA80000-0x000001EF3BA81000-memory.dmp

                                                      Filesize

                                                      4KB