wannacry | 0222cc61c820439a567eea5723d3e3a4395a0d5be62db28f79c7ff5af4383eb1

Analysis

max time kernel
202s
max time network
289s
platform
windows7_x64
resource
win7-20240705-ja
resource tags

arch:x64arch:x86image:win7-20240705-jalocale:ja-jpos:windows7-x64systemwindows
submitted
03-08-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hel.txt
Size

119B
MD5

508c8862355296708a0423012dad2351
SHA1

22c718de051d572d55e22b83c478cf39b563d4c4
SHA256

0222cc61c820439a567eea5723d3e3a4395a0d5be62db28f79c7ff5af4383eb1
SHA512

bf0b34c1358f51907fd9208a8ec51900101f7de80ff1485e88625f25f248f7096c86efe2a4d12cb71644c86830620019a8af624811c2e31abda49a1a047002b8

Score

10^/10

wannacry bootkit defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7202.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7215.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 10 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exe

pid	process
2780	taskdl.exe
3220	@[email protected]
2988	@[email protected]
1772	taskhsvc.exe
2744	taskdl.exe
324	taskse.exe
2236	@[email protected]
1860	taskdl.exe
2116	@[email protected]
2592	taskse.exe

Loads dropped DLL 19 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
976	cscript.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1100	cmd.exe
3220	@[email protected]
3220	@[email protected]
1772	taskhsvc.exe
1772	taskhsvc.exe
1772	taskhsvc.exe
1772	taskhsvc.exe
1772	taskhsvc.exe
1772	taskhsvc.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2816	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2688 icacls.exe

pid	process
2688	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkiigmgqs580 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeicacls.execmd.exenotepad.exe@[email protected]WMIC.execmd.exevssadmin.exe@[email protected]@[email protected]@[email protected]MEMZ.exetaskhsvc.exeMEMZ.exeIEXPLORE.EXEattrib.execscript.exeattrib.execmd.execmd.exereg.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

3088 vssadmin.exe

pid	process
3088	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 30d9d969b9e5da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000030000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428860569"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://youareanidiot.cc/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B255D101-51AC-11EF-985A-66195533A136} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000cfc59b7eece237661ffb2f357845ab32f94d9e0bcfc7dfbb1fd993deb9f80109000000000e80000000020000200000008ae1b86b05cd0a7c88afd0fa45cb867b5c4b5223d472c7d69c2b7ac9698bd01d90000000d4e3c31a55d6f9186fd0f59af2fd08fd090065b36219065a4c2e9b24aab55b173fa22839a7525c7b319fc97d4897c7fb1f56c5bd0049b8981403ad41bd4ff1b90430e242e75169ea90b0cf25ebdea4bf6fa58a9614cf0c48e9593c19d5ca311a5de73278204bf868a51a4c40da26d8405c0f8ea21d8ae0341b9ebabb07159171e64672815c39f4814346a9b3be547fc440000000e22e2ff54d81265e811e25fe0b57e3c0e5e066ce07a096a7d69c6f6a59cbd7d6672352efaa4fae1ae8890d79bd4451ea2eb4ec793f68ed0514072eb7ca652131	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = c8983d7cb9e5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings firefox.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2852 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings	firefox.exe

pid	process
2852	reg.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2352 NOTEPAD.EXE
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

3420 regedit.exe

pid	process
2352	NOTEPAD.EXE

pid	process
3420	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskhsvc.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1772	taskhsvc.exe
1772	taskhsvc.exe
1772	taskhsvc.exe
2692	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
2944	MEMZ.exe
1452	MEMZ.exe
3288	MEMZ.exe
1452	MEMZ.exe
2176	MEMZ.exe
3288	MEMZ.exe
2692	MEMZ.exe
2944	MEMZ.exe
3288	MEMZ.exe
2944	MEMZ.exe
1452	MEMZ.exe
2692	MEMZ.exe
2176	MEMZ.exe
2176	MEMZ.exe
3288	MEMZ.exe
1452	MEMZ.exe
2692	MEMZ.exe
2944	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
2944	MEMZ.exe
1452	MEMZ.exe
3288	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
2944	MEMZ.exe
3288	MEMZ.exe
1452	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
3288	MEMZ.exe
2944	MEMZ.exe
1452	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
3288	MEMZ.exe
2944	MEMZ.exe
1452	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
3288	MEMZ.exe
2944	MEMZ.exe
1452	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
1452	MEMZ.exe
2944	MEMZ.exe
3288	MEMZ.exe
2176	MEMZ.exe
2692	MEMZ.exe
1452	MEMZ.exe
2944	MEMZ.exe
3288	MEMZ.exe
2692	MEMZ.exe
2176	MEMZ.exe
1452	MEMZ.exe
2944	MEMZ.exe
3288	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeAUDIODG.EXEvssvc.exeWMIC.exetaskse.exeIEXPLORE.EXEchrome.exetaskse.exe

description	pid	process
Token: SeDebugPrivilege	2848	firefox.exe
Token: SeDebugPrivilege	2848	firefox.exe
Token: SeDebugPrivilege	2848	firefox.exe
Token: SeDebugPrivilege	2848	firefox.exe
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: SeBackupPrivilege	1420	vssvc.exe
Token: SeRestorePrivilege	1420	vssvc.exe
Token: SeAuditPrivilege	1420	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeTcbPrivilege	324	taskse.exe
Token: SeTcbPrivilege	324	taskse.exe
Token: 33	3156	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	3156	IEXPLORE.EXE
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeTcbPrivilege	2592	taskse.exe
Token: SeTcbPrivilege	2592	taskse.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

firefox.exeiexplore.exeiexplore.exechrome.exe

pid	process
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
3128	iexplore.exe
2056	iexplore.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

firefox.exechrome.exe

pid	process
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

firefox.exeiexplore.exeIEXPLORE.EXE@[email protected]@[email protected]@[email protected]IEXPLORE.EXEiexplore.exeIEXPLORE.EXE@[email protected]

pid	process
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
3128	iexplore.exe
3128	iexplore.exe
3156	IEXPLORE.EXE
3156	IEXPLORE.EXE
3220	@[email protected]
3220	@[email protected]
2988	@[email protected]
2988	@[email protected]
3156	IEXPLORE.EXE
3156	IEXPLORE.EXE
2236	@[email protected]
2236	@[email protected]
3128	iexplore.exe
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2116	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2820 wrote to memory of 2848	2820	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2864	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2864	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2864	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 2744	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 3032	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 3032	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 3032	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 3032	2848	firefox.exe	firefox.exe
PID 2848 wrote to memory of 3032	2848	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2352 attrib.exe
1772 attrib.exe

pid	process
2352	attrib.exe
1772	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\hel.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.0.588950563\1419886027" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab0f7afd-001e-4c54-9d7f-9b2938353318} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 1312 116d7858 gpu
3⤵
PID:2864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.1.1914985913\1237837605" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5efa5ad-1789-4e49-8e97-9c2bbba5895a} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 1504 d6fb58 socket
3⤵
- Checks processor information in registry
PID:2744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.2.1227866681\1389765107" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e044b26f-6f22-42d7-9e31-2efc7ecbe6b1} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 2100 19b9fa58 tab
3⤵
PID:3032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.3.1617566874\598458673" -childID 2 -isForBrowser -prefsHandle 600 -prefMapHandle 800 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c426ed6-7199-4a3e-bb53-05a7c22fe048} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 1664 d71358 tab
3⤵
PID:2412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.4.1313507418\1328534468" -childID 3 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bba90f3f-daab-40d3-bb5e-4c5fababb353} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 2980 1c1e6b58 tab
3⤵
PID:2360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.5.1467045946\1982295687" -childID 4 -isForBrowser -prefsHandle 3772 -prefMapHandle 3756 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffadd88-e83a-48f9-8b74-9680d17eba52} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 3788 1f4f9158 tab
3⤵
PID:1096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.6.1332330428\221108312" -childID 5 -isForBrowser -prefsHandle 3916 -prefMapHandle 3920 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60990d2d-209d-47f8-8a4b-1f7c28007e17} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 3900 1f4f8858 tab
3⤵
PID:2488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.7.732950754\428545616" -childID 6 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c238f6d-db8b-4cd8-95ab-de56fd17e338} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 4092 1f4f9a58 tab
3⤵
PID:1116

C:\Windows\system32\IME\IMEJP10\imjppdmg.exe
/Migration
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2848.8.2043332461\601246474" -childID 7 -isForBrowser -prefsHandle 4424 -prefMapHandle 4412 -prefsLen 26621 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0093102d-6e03-41d3-9d35-744dc81942ad} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" 4584 d66e58 tab
3⤵
PID:3208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:275457 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:537609 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2816

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1772

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2688

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c 223641722698710.bat
2⤵
- System Location Discovery: System Language Discovery
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:976

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2352

C:\Users\Admin\Desktop\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1100

C:\Users\Admin\Desktop\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
PID:2592

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3088

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wkiigmgqs580" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
- System Location Discovery: System Language Discovery
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wkiigmgqs580" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2852

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:2496

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:3604

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:3600

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3188

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:876

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:3580

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
PID:3172

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
PID:964

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
PID:3376

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2764

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2948

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
- System Location Discovery: System Language Discovery
PID:1676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=stanky+danky+maymays
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:996361 /prefetch:2
4⤵
PID:3928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:865309 /prefetch:2
4⤵
PID:1176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:1324050 /prefetch:2
4⤵
PID:3628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:1455134 /prefetch:2
4⤵
PID:3356

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:4064

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2604

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- Runs regedit.exe
PID:3420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6569758,0x7fef6569768,0x7fef6569778
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:2
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:8
2⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:8
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:1
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:1
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:2
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3160 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:1
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1444 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:1
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3548 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:8
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 --field-trial-handle=1232,i,14707445071658701716,16973186241285169428,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e9cec812c494deca00ce5df6230c2a38

SHA1
8625adb85d69a573a60192ecfda2a95851685472

SHA256
3bb178fe9aa12865351a77a952dcfff7df3924b40d59e8ffd6a38a35d97c8232

SHA512
0db2d4deca98f9d5c2487431f0268423bb60f44c0c955a5b232953b4b78e33c5cfc619b5a6a01107b32fe9b192589fd63389bb559a8020be3d729e6135ceb358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab5815c0b97e8b055b5ed0a3f6a8ec8c

SHA1
971c6a8b4144aed3400b0445061ca8941f87b2a4

SHA256
a55488e9e7aabaf636678c305aa241cb47045b4225eabce01b1992d6308f03ae

SHA512
a390c2201bda89512fd49515f6283589b663041d7a5f988edc831622791a845e90b6b65869fad6ea44333aea4d3f38c66483a9c4cf1a4aed713c66e63576aa31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d4d15ce64acdf78f63ce42dde6b3fe3

SHA1
63bb3a2a087790f2e4157ad671491d6836493303

SHA256
b487d032e33adbb0096de5ed420bb2cbfc5efeb4c96f08397c3f1b0149d10918

SHA512
0d48aaa54e66f6d90b062d98444a5aa29b231c7abcd69c6095006ae3ad2da745e08963ac20b490a94b1d70d7fdd0430934edb11b0d08f281ba47cf533837587d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb2c2124b295900b8b8f49997997ae4a

SHA1
de8859d64c9f0bedf836e7077923c03167c43ea7

SHA256
38329015b36e76ba5689a9c7bceaaab8b2120d26d8b9514a3b94ef7a3e2ecc18

SHA512
61ac3bc92256214a810877c64e7b5860dcf112b9362e4cbf8e81525d2196b2a7485c08d8d5a1de1041fce453b49ce9345a53b95e0d42f5bf25f4e41a4f20ef0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3500801f910eca38479aa9989b7a4d9e

SHA1
b5eb98deff50788de28d024921e5a3e30a655a07

SHA256
2c94a3959434e108b48c56013853b113af901666a207559557fa587916225652

SHA512
bd2ffff27c35eefd25c89d70fd0c2dd75ad5cd705e4bbcb3e67974416a8bf4b490582ed06ba94d6cef3ac921f2cfe323dbe5397a751213ef41bbfc30714be4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c2abe53e8836c723bda97e3b43646e3

SHA1
5759bf7ab24c530b2fd7e26b59fe5bfae1cd0d04

SHA256
59bc9a81babd672def5f25241cf516ceeaeb1c5b40c2e419464e7261325673bc

SHA512
b4b83f990f904907ce580b9f878ea4ba08a62fa11b8dada56fadcb7d32d5f72bcef6ac52f5b3dcbae64105db83ec6c2de29de716d124d624d17479022d80c657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a3758722ef3e0deeb3cfae8f8433162

SHA1
ecc2a8c5a8e4402c22bb15e4cfb78c90967d8b58

SHA256
56e66bcc8bb2005a042c57d13e4c31c66118d50cb5f0056921a1476f9e705a2c

SHA512
5de34a91d7ff2a7b339aa140d98107895e244fadc22c0134e212a84e2bc7cd2c73614f6c255bc213b3f48c5de4d7f5ce37b6aedac5aa7fbb897ace73d03cce46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e0eaa22c354a49fc5e256fda3e4985e

SHA1
2dd7b62f85dd38502db8509c2edf753f7a3ba4bc

SHA256
72f36015f2680fbf43a0d91aa6bf557b16b061b8c95cebd015a2ab8209da4dae

SHA512
08e7b8a6342d263a1016536dc8af9bd0433d7c49d9561fc810435b2f63e9f5463011333d4764f5eb09750588bb241d25419ded0e6aaaa98c9094a7d7d2fe42a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f491237347aeba65ec23d04b826c1ab

SHA1
293065065c28cda3a388359ed60b2fbc9aeae35e

SHA256
32da9b95cd9307c9e0a76774ab4d7487873df991f38c5ab8e6c434cc38688fd1

SHA512
a4983bc11f7c777835da27be76b43ec2c92334b709e8add78862169a6bd75ae2747f34ab433192e83e54283a7ff9c4abaffb5c89815d44a746a445fd2e954b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3a50345376454c41f4f323842ca97b4

SHA1
d15b9f71b8365aa2e5f8e4b822306ca47788e62f

SHA256
3844e7ce88e95ab84d067b9d550fce2ac99829ec5e4afd47cbb7d33284a11758

SHA512
a5e82752f64ffed2129ef3b701e55450b630b00a94e85a1a38023a9a77d67d28962a5929906ad349178875c76e4d1977944c710b493b7c88ffa11274589b30f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c86be15443f13207f8a4e049965598c

SHA1
151ff4fd72a011d9efc3cc49c5305c422ec1ebd0

SHA256
2a4afa83b7e7fc6b3cc0501a693336f6772d5fa6d6350fbab58b81c669562f23

SHA512
ae1a1a6202aa5aee54a22176f53c98369808ebca191a4d0fa0839af6aba46f48291ff66ef72c975091a23e8edf218ac1613e1892cd3608bb604498e148898f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62d61ee0fbb83db9840115c19066cdb2

SHA1
40e4a17fd4e34691ee4294266102b6a6873b57e5

SHA256
cc85682e9b9f12866f7b419a08b1fbfa0128d0667aa8a7a1838e10d8babd2ba8

SHA512
ea499c47ecc13ec2feb132362175a2e26e5636aacdd427cbdb4e275f18536a7d91bca01a773bc2ed9808131fca5ac2d54ea3010b4fa0259c13433bba8470d55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8aafb858c369e6ea822e5cb706b34ffc

SHA1
a9443d56e3a557301cecadf5e5595bf629ae91e5

SHA256
38611bb417429ab41f688a6fbf8a90a30e489a0f3a80517679b41cef6d67fb3d

SHA512
6258f4f100555e1ec58bd796fc3b83a5b5630298c2dda36e7433e55ad69cec7d5db067828546228d528c6829512858a2179f3feab9e72439a55faa498f056c03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7de4a1250bb1a9cb842f74e4c35b9e8

SHA1
1f9ceb4531214ad5fd82229a6cddc7127ca7a7d1

SHA256
55da7f40fa94980277aa6acab532e0523da10de3e03d0d2b312e32ff3cdeadb2

SHA512
c3b4d6260c6bd0abaeb0753d544ccf106c74ccebeea264b9b7cfe346f895bb66a7b69b4715a2478c76b5176d5f3eb7cdb4341ba522f1b74eea9058c3033e4e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f5a59d550326030e30296de92197ae

SHA1
1ac58febf59a62f7f106bb831ca165fc442c3937

SHA256
2f1119942c891b0afcad4224a3fcb1f68d85bf7ee2fda5111e047caeb7002114

SHA512
805018a4b2c2610ef44cfa558340f8daccaf3542d3b8f83af7c11dab49afc7bd4b0a421d90b48f8dcd4483117b4dacd4681fd91e06f319eafae9211e80fa1b11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a98e022ce31fb254049323e9eebf267

SHA1
19912ca21c8a6805affe34df1d155b9bc48b5e7d

SHA256
df5c20a877f12403550e9b0306c8ecb2d159cbe9d7b0549941bcf9cf7d3f00a7

SHA512
27ecddb7cfd503b73aec5f2da456279a47307461a64390210327d824c60e7a32d99652908a46ac51c425f5dac0a9bfda18fcff157ff6d05d4ac704410b9e86c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcc56af1b1784434d5f12f56d814aea2

SHA1
c19a0dc2b508b05ff0f9fadcc90d14556394a13e

SHA256
b39f3dd6e1a5f758a9e7ad8665b3b871d72995f65204046aae165657be090bab

SHA512
58dd34a874a5aa2cdf9cd5d3c0441dfcfe54d91989f23d22fc52ee531d44d7b23c57b8208b7d668eee3f10177608ea2e1217beaccc3a15b174e51f487b689d79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0665876257de6a966eafc72d0e88eab

SHA1
645e65b061818a0aad04389af9a70ea13a2fc370

SHA256
6a391846aaa94d988713d622febcd452740bb1fec7a1177e1c8a6108f2190de9

SHA512
bc39092cbccd43d5dacfb6eee1915aff6c905900da5ce4117035467613afd0c81b8f658be8f69d1460d81a4071de3adca1e849eb4a0b9583bddf9b1229ab4087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
251dc867749005dc04305a40f65192f4

SHA1
7d0bd201d51775fb189b25573ae68d368f31951f

SHA256
972f05d0ed2d95b3365266487a895feb0fa92ddc49cfc97f3457c605f5508811

SHA512
f3b86a32f2a36602ecd03f8122317389a6717985fe98c323f7401fa18699b450baa41e107a5a2fea67f3bde5edb329c363f4dac38ce03783fd4b52cf26d4ca75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a278669f4d091e3348381c7e12c217d0

SHA1
b36f88c33fc1597dc07e4640a31d28df4558a250

SHA256
f0d995eadbd3dbf7a70cd8be6e3773e5d1234cb3e29656c6553299dadaee6b80

SHA512
03427323f036da131d84c9265cab082f8aa1f0ffddede503bff89de4c7b4ff6ae1824e86016f69ce904f02786963525672b2e4dcf1184d92a46b63d4bb48531d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcb21850420da7c6289f5385ca688f64

SHA1
61666ea7bebd29c444bc4989d5cf31ff1887d0b5

SHA256
a1f9d82af69bd42d6c3392639e1a8b67c113ed2feed95dfe51094c55e4087c66

SHA512
2f03717c28766ecef2d0bfe2389174fc02901ae27bcf91b563896bb096853dbdc577c9c14238b82a1026e1c81670a03a15cf93897edaa7b30c7fd129f59e5aec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0805d7c0753176e09046f0e08e1a4b1a

SHA1
d824ac3920d0bf0dda7989e1a32972437c114207

SHA256
c19ef1592dcf8111a55aa61e05744ba845536d177f616372722f7d775399de11

SHA512
ab4cc1491cdf2be9cfdca11419e9f5f3b5325794aa3a8bad7bd1968b63fd518c9207d829ac1fd0478e1192bc10888d18df849c0e5a092e777029886b3cdb745a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d4312ff5a0af7bd704a88490a3f15e6

SHA1
70b4349959c874d4b4e4c7d0f7bae625dcf98f80

SHA256
44de89379837aee63d518a9b0b1cb1e9a97a262641581569901ca4069175b68a

SHA512
9c1ba022e7bfeaa47cecd0c641490103fa7c480c607c4c674847314a34e54f0a7aa7b8bd1ba3c5bdef7780f6aab1a265e9dc6af1873c1551e705372b5e724eca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38c2f74176fc79c172320abf93eea158

SHA1
9d6baa2573f7a174ae6aeb17c1c6649f3bda6329

SHA256
9bf262f2bc6d243f45e838a091a38ea0b0f56e3f9d39a5558073168b4459454e

SHA512
6d9284e81e4d78fdd7ac2484fe3a0cdd05f483b171589decb65375f056ae487b6bd0088001aba26d413adb551da81848c1652a5670e679517b53af159768f543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6272d62e88e11a4eabe42501d57282ad

SHA1
e6434d37f4f8635b4b326edd26f7328d44c643c5

SHA256
3a4d8856459758d2ac16fed28e05e5fa24d6a83e6a74b9ac1c2f658855c78514

SHA512
d80e4449133f56f26b6946fbcd3a726c938a1656e72aae6bda454503a409f19ec145b89478da6afadd9bc78750710bc4ac0e2af49b4502392cd4e165b8a9ba44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aafd35aaf6e55df478f2c691214c7571

SHA1
abe74a20f398a3024bbbc180f774c180263d7ede

SHA256
07f02a9b43a1eabcec2d9c977a87fdec8b6cd1c371ad5c21bd123f10979cba29

SHA512
e79d6ea44d9f374374d0d596984f84f9ab94b9dfa231434482b5e0d232853795f02b26479a61cfbe2f52274ebaabc402842f15dd68af065ef0273dc05e012cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98b7dde3041e6b8c67da189a2d36e3dc

SHA1
3992818f451597ad7f1b594ae6651efcfcb8d454

SHA256
3cacf20f52fcb801cfe48f2f53a9ff06196ca0bda63bcfdfa04f90220cc3cd5c

SHA512
ec0ffa769262bf51924581d36be80be9e9bcf9ae2a3a067dca2566a0ec87306a25244816535a364cc6e5de38284153daab52509b5cfd501070c0ac32c38dd003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09e35f0b992c67b0d7465a4ea76f6e12

SHA1
1daa13c5663da31157485a317c60c83ee57d9052

SHA256
2e54083de595054dc5c35d5ed1aab704ab82df3246609a83865149de31abbeda

SHA512
9d99476ba909a2f54b9b9d4979359aebc0035b603b60a18d3b1f51db261ff99e2042d867c66ab100567f502c9fa3f982b2d340fdf8ddd1fc672a90b908cf9b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9386922eb1f2b72df8340cb76d84ec5b

SHA1
116e0f503656423c79c5e124b0f44a518413383f

SHA256
669c299e2a8c45d58236a12f84a30913628e2c93c11f64d363a9ba0cc68400f7

SHA512
f31600bdefd47ee1878bb973acd9db9620672bf274e13004c719c2d72c633f314422dca38ee8106e41dc3abbf0bb79667f13bbb5d07ad90e3fd517c273f3bee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
176ba33e53a1b23912497109d5c4306b

SHA1
5ee6f5718fb05bb79d1acb6c77753e48790ecb0a

SHA256
019b89cc2ac7b0faa412a913b2b4a75418857a6b7693abb8268c9e16f42aafef

SHA512
5a5d319cfe84e4356a5905509701e54fc5e22838a9aab983fe6b9f4a3b299d84f2a80161a751ab05680eb151b777f8de443c29dee308eeda716b49573514e110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3464066576086741d47ce6323b5e5c58

SHA1
54f9ccb69dcf1edf47350c53df384c0f110922d5

SHA256
b191cb875a8dc6fc0dd95198aea526e8e24ddae55b14e7c9815cf165a7ca49ca

SHA512
d51d65810730c31fbd9d4b3b87cb38691f21367143e2be335f2f7d275784935d71ee522589c9f5bcc0e03b1eb3a677513410d6a099c54f532761659e14f9b260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
de4466c54f6adf358329a7b80a980d9a

SHA1
71a2a7dd47ec9020b1575d6fa1074dd21cbc30ae

SHA256
1ed0926fd1f04fbe75c723bce83add8bf21478fa7a5329cade2da5d272e38ffe

SHA512
571ff7749299ca4456bcecafa8bcc817ad53f1004cd142dbc2ed227affa64af4bb213995650aa016e506420534e7361008738c0c3db22658db2baf20e9951944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
134c1564d2155e739976c873f16efa35

SHA1
464bf4f4710bfe862b8252646ebfb23585dbeaeb

SHA256
ca4c700401387b1b2976c4468e9c1deffd5c201e599cee72483bf0af8d571551

SHA512
50717abac25373728ef2abb02418105e55bb0bb55e7acd012ce169d14e092d1763b17f1f2af8cbe469453a6347aa2969dd9b6aadcf9eb0704d765c0549af2ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fa3e6b8e6b62d74cf922e54475637028

SHA1
4e2346e08d7d34365c3dc82a4670a5743bacd9a6

SHA256
6dfe6c20f2fd43a1d3ae6f7f1ebeb89d38f529fc23b845b06a05102ef886bcab

SHA512
345e80b6aaf1020afc988c17e7987975102f7e5068d51f3443fcde31e6c9fa56a047b3c3f392c87221d42bfaa31e7abae4537165d8b0d57402ba3bdaa40e4da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4e62439ceff5ede478b0405c178abd8a

SHA1
f9c746e9881fbf56a868f989e15b3b25b77c19ae

SHA256
fe028a42664b55c5556bc9aeaff0739b1abf76f01f3031a0334beda3800174e6

SHA512
b9d5cfa1a44d18dd970ee5e4bb31661a8f01233d72563cc2f67c3fb2709a94a945b04029fb482bc38f866744f799adfb09382294bd2f5fb43dd02eada3707a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
a6ab73f44cc5d4177f3625dfc810d12c

SHA1
41549f53da17969da02b481f865053e7e3839237

SHA256
f005b426bd18265e48930aafce21056811740f8b25522445f5bcc08d1378e94e

SHA512
7270c8cfec9a31b066b5f66a523c035cca6f5ffbcd5f1d97b8e87f2d0cd49dc2bd3143b1b36970fab9af1c72a23f6e615294d6e04ca87256e29b0c74432c687c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SPRIFH8L\recaptcha__ja[1].js

Filesize
535KB

MD5
bab58870c9795d7b5960d51928b1db27

SHA1
4b80bf5fc1379b5bf32d58453d3192395ac3fe9c

SHA256
3fb24ed21a2e083238ae71a42de7d9a97c568bffc7b28f9a20d35f00810f7f61

SHA512
492211250f059ed92a66fbb65f0e73f88be6e3f74620d50512deaf87f88f45b7eea7329ab89eccdd85f2536329cf5595d1bf67c17a6a65032dd1d37f12de9a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SPRIFH8L\safe[1].js

Filesize
2KB

MD5
cc60717c38d6a9e955f9447beef3ed0d

SHA1
3490e04a8692b2e7e278663921e396ad75f7c95c

SHA256
8de79f13c74898327672420b94b42c6682e84e82bee43518662824b16cb6ae8c

SHA512
9e6fca06008cbb42652f21febdef6678a1572382f52587bd2e31ea9885a3d2b7ea349abbbd51da2b4d122dab53adade2c2cb7d4df25fb351c719802ee97c86ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\favicon[1].ico

Filesize
1KB

MD5
0b6dcf9c1429088c7f079d7cc291bb66

SHA1
d23f9a17c55011a829c1365bcba999b27c4115f4

SHA256
4b0358b16230208179720a09d205b99a3e9764e63815b09e9f1716a02fccadcb

SHA512
50b3d19252cf4601c93108639c0c82cd578c1869aeedbb327a7f917c7c9142ebe893347c9a065ad8dbd61b0edcb160b5169b7272c2f3a3f807649b007461ab74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\styles[1].css

Filesize
2KB

MD5
ed96e327dc9d8338c9e8c83ec72ab5e1

SHA1
d4023cc8f7e294f28328366af2044e7fc0e2e615

SHA256
6fa264b7e5e4758facd452a22af99a6a5a3fc9c877a597b03be5756b206bd12c

SHA512
b332768d871853dfeda27db6e162efd56c96c3eb9f6a4225ba17c557d994fa04966d6f7a8fb68eb9d987ce4ab4c157f720854fc9d855696404af37848348a13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
4595fd1b9440337c04a3135941f2b67b

SHA1
033a3645a09ba9d108b0d50b000f2ca96ed88eee

SHA256
474c200ac599e0b6c147694c4ad640364d5d41680c0f143d075d1c7228c6f18b

SHA512
a6431542c695e251b025e8ceeec40fbb70632db558ff0b7b5486df92fe2e016ac3f1f1028f7fd1ee97dc780f205dd49723873a9e2dc30b5cbb879786ae46f79c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\21816B0DB510050B0FACA059FFBCA789FAFF93A3

Filesize
17KB

MD5
ede91a37817ff98ed49129a72645ae67

SHA1
13f4391dde05804adf1b910ff38869fd32e02da6

SHA256
b4bfe58d46656fbcdbb3af37f99545d683359b66b06c40cd6e829056c031cdb1

SHA512
63edf6daa88c43ec53f3882b90f169a7f496a6d382969ae794f9905ee4b325cd4a067a3dad3303cc9b1dd9159734749ba4230dd1f132a15cc81e1e2d64de6f60

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\2587B8254FF29804EA8C313AE41DED8329BBA421

Filesize
13KB

MD5
9e9d39c2407784eaae179d648ae6b2b6

SHA1
a0f7ef5935f1ef2f5c34a4cdaba26bf1636fdc9f

SHA256
8829ea7f7b86a3ce9fa601d977a1c33f82fd622e9bd06dc34e11310e87596609

SHA512
e59e7079ff569e3826717a529c4a5e88cb4af34db41caea364b696aaa26d105276a3d158fad93fceb72858194e3dc2e69c642a5d7b8da88796ab8facad3f8da5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\A2BD72A3227572715C6CBC7E489B8F9A87263541

Filesize
14KB

MD5
540ca36017a7e7ae816d757424a89c84

SHA1
57ed916d2129563ceb72e205df1018e4caccce5a

SHA256
1bc6f7e53e86d5d04b25cd7f01aebc846247f29a6afb39f94b80014af1e1ccf3

SHA512
8eb3c30c1649103b254227e8424144c3855fed8bbd48fa9ea8179044704d195ffb6888b30020e70832ff225217c6f3493d8811058dc606635c0ec7272e0f118a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
14KB

MD5
d6357f5edb9fe3fa1aa0f590fae18b8d

SHA1
596f719c253917ba1c524783d46875eb53a1f068

SHA256
cf9acd6054c3d066de19dcc019d1547344e7de79f7cc46cff236ed4faa97d9bf

SHA512
6b48970833c0a4f3fe6481d588312c1974235e763005851f1310705c568e0a5da6fb285e136081ce9c146c277e9baf25c2a5e255087da99202ea540008c3ac49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\B47C2290387CA81094036091C984E8DF3E89AE1C

Filesize
14KB

MD5
0278db15a2671f2eada88824cd916709

SHA1
41e9a35511a1c3ec9e3f2e50b65eb6bd32172087

SHA256
eaf4f85997c350c3b2d504e28816c4fc260a7b3189b9584d3d04f5ffe76a90fb

SHA512
e05fd06651123aee94f21a67ba26478dacbc5e604713f43ad5dbbe214d643fd120b3851bfe9387741bd9f4ba951733c87be650a21f31918d87b598b694d1b63a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3

Filesize
16KB

MD5
b936e91215ce8c8cf9d89fb6d93eec88

SHA1
25df5da92a19fc983ed270ebed47b9a2f4249283

SHA256
df8a6f3a0769f08e5914db23950dc4d40413fb27548b2bab5e2583fc33421e65

SHA512
dcfe2788e87aff099b4e8be3c7f8495cc96b57fa8abc6bb95f36c419e0cddd0a06cf39da645cb63905a7de67eb48e53505cd18789b07dbc7f1349ab6e8517022

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6358.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar637A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF6ED3670C27D2CF1C.TMP

Filesize
16KB

MD5
b9f78f37a19b0864f503b37885417feb

SHA1
50fe0ac47b89ec1d1633023f2cd2147bc98ef1df

SHA256
08b391f8b42d5039d55856531ae54b8c740acd01804ed0eb8b68d90655fcd3dc

SHA512
d1d7c2c201289b56f62a69c88cf7169b01dcd95f3adc6d3379a28b4651b37f052b095274ac446fb118c36a304e8a162668c4af8b7ec6458eb50189966dcb1872

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\AlternateServices.txt

Filesize
465B

MD5
721648526c7d3b6d59a3cebb71d846ab

SHA1
6a3f2667a23be2e7b10aa175a065a9aa9e9cc31e

SHA256
d6d5cd01a0b1eb4914d136a0c985f2f646c0738a315e68863bccedf8d4aff3e8

SHA512
14f1033ef14d0f80c0d04f9b52f8c46d2f44382de206ab888f7160f8a9016d6cd9b0cdd719dad63f06a548f60847a91f2208e74fd9a3706621f693c9b421d0b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\SiteSecurityServiceState.txt

Filesize
603B

MD5
97a6ebc5142ccb21ba38810ae574f33d

SHA1
a13a460974984e875dcfe5e5488e87b9b2a0c7a4

SHA256
d6c1e49e923d14b5e8069d7eec03f9b589ff0a9b10c1d2d9bf96334a0bb357a1

SHA512
32167f37b20e93927387412bab3692c8c0052236c3211328902e580e99328a0250b83e62838f6c0419cb79ecf3e4e8431c33013cec8223ce30d7bd2ecbc26219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cert9.db

Filesize
224KB

MD5
1f50445ee791e9873a19e1591fded234

SHA1
cddd035b5426201a7d8099bf33cb9ed28557bd46

SHA256
99425608af052ef4e08bffed006c89d391992eec22957418da92027d6036e5af

SHA512
7111c1c588dbd8cd056f393826ff86bcb4eb42323cec5ad293ad0f03e238fca9a5859bcb6fcbc90ce45f9464fd1f1473598a294d7bce96157d7ef78fe8afe311

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9b3f79e06589ef01b720968eed0138ee

SHA1
fadb89ac6e7acee216e35e21e7ad32a6e2e44ece

SHA256
ab2f73b21274b5f41ca80fa723c1b56b339058c222550763698b92b87ceab228

SHA512
e104258f7b1e8ca8037a170f4a57df5eb1a0bbdb4ad07da893324131acf933d44453668a3ec5c524e8305dd7855e658ddc540774096da6e53855465f3b6e6737

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\1e6cb2c4-d361-49a4-b7aa-84facb20ac26

Filesize
745B

MD5
cd8f7604ce0b4a5507d4d437c5a94589

SHA1
8ddbc0702cb6db1da102de5ac7d20dd526c0ce20

SHA256
dbd68ba62f648156e64277bf1f9404821b566e8a8d13477032d391a837a3f98f

SHA512
21480238a28d3393c4f14ce1a6b96dd18413547af29df128fb410e4283845d0c6c9338eb23126cf36bec5475d3e0c3afef83315de3129b4c281f421811943ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\da3b63cd-3795-4ab3-8ca1-a5a54ad502dc

Filesize
10KB

MD5
eff6b9ac71ea8e0650f95a69941bef21

SHA1
4417cb35981984c85e65e6e97c13b580b4be387f

SHA256
8ad0738c4825f6a8d631afdcaeeb7b392552b4014cf80cb2b7595b492f71dc70

SHA512
c9824c0a2ed0140a63e178f784a1add82f423f9f4b228d578439538fa16d0c06e764639fd4e1fe6233a32ddbf05c9d5b45937fd557ee892c1cbac51023638a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

Filesize
6KB

MD5
7ce984a34a07d9cb1d71219a50543a23

SHA1
c6025e4005b051f09547222f1a3543edb698e49a

SHA256
ece84083b7e073343264de8e2f74402d25f3f3e608dc92704cde86b0a4905f10

SHA512
5f92156f0c507ed3b0c828a93ac33df38cb78731e557864b2b158cbc9bc25ecfcff152fe2a61686f66d8f4d6420d7de98f580303fbd7b1f44bb2badd794d9765

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

Filesize
6KB

MD5
c2c34cc66d46c37e96aa2b298f0ce3ce

SHA1
1612325b778522398e72effa39723f3e2811ed90

SHA256
00fd35afea8b0fc975eb1ef931157c6a7f7db14877dcb7da3816b88bb9d00439

SHA512
394739056298aa20edfadddc10976d659b3e6fa999217a4b158ac0dcdaecc38cb3b33f2eaa0eb0b8a43bfec923019283f624f93bfd3e28f2b86e2fa71388cc02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
827604c76563783524968a8276fe1c54

SHA1
cdae9954b0e428e999af6b2e7a073897c84c02b8

SHA256
de00e5f5cbd2c0102bb65ac99c9bd8d61132d2200935f33152259ec1ce35bfd4

SHA512
dd2e72d2a0e4d74dd5015a1e63a61b3bf5d68b265bc707eb89beb2c90b02f003dbd4ea11b4f056cda04326471e41ab50f8b71f1b48b0c51fa68d51211891e009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6e92699207123d3e84950ef37ce668c9

SHA1
aa0091c71f93766f13f26d6e46b125d2e7e088fc

SHA256
c6e7298539fd7470c13ce0593872ec80ce8487c397d4b5c7c67110117ef5038a

SHA512
b46bc949bdee47a966e59ab536e237b924f1555c284a7b1a0e926643b1ef7f7fa64bb677b8221d828470e2041e04fbb79cc619a743cd567524b51d9c56a975ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7a657485c1be27ff4252c5e156133aed

SHA1
db285431f05faede1bf4a56b12cfb60c6fe09eb3

SHA256
79d439735c7f1b65a97f1ad7dd5edfc8d4dfa81a6c8feb06d8039692f9b216bf

SHA512
fc208f6a1f43025844d2484c8e89dcbb71407e7b0eaa4f1965784a93c28a4b7599c55b04a507974f1887868d68c70553972f9798a1bffbed735d75b73ceafa88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f9c3beb4330715ac1aa41dccac222d4a

SHA1
74bcefdb8e06ac3f4752a1f051a74ca7f082990d

SHA256
ceeece0e5b986fad71f3dba1c7d55c09dfa127288a8b8a186449baa9d0a1c4f2

SHA512
9056da0627082d58db0399c31658d543f20a2cc0a9b63664c23e54c6aaa0cb98f83609e84ff50f8d73b6437947a759f53960f4790a54180c9d07f28c5cedeafe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1c0158a5b33b6ab187abd0fd0f74f35e

SHA1
97e586b858f61f320b0e7b5725c80c43094b5477

SHA256
26b13fcf6ef72ededcc2019c914209bf26cf6e815342d25b8eca9b3837bdf294

SHA512
5278e9be5bbea3d89772e93197457a2ae957a797d33207bb83637f90d012a1331e58834231ab72a985c7ff251f04044194d4481fc8eaaba8aa711ffaa60ccf03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
c72f5b7879c02ff715fe4eed959c6ed5

SHA1
f5e8155066fa0059764ef5a7505e37a358b8391e

SHA256
64b8911e660b7620b9df7dbd902052edc7d4c90a03b73d5f6dd67381a0585bd3

SHA512
3fd7ce8c3a0052b5701ba1cbadf79b9bd9bcde1e2648e0b795629aec491259ab77afe2ab01be2d76b88b538ba46c76f21eda1058f44fab2892f9ee5ae9914d64

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
19.8MB

MD5
93e769b1281eb50a0819f1fcfc49ca3c

SHA1
2013131d94397a85b3febfa802789d72a01e5edb

SHA256
cc778bb4c3f7bb8513e6ee17da10cc1d593fd9b425c2b571eda40ae63025bf1b

SHA512
051f38b3cb15d2c21a386460892433bfda03ed47e711e87f0ecad83c77d5f21a22f65c442e338a6f03cd017c8398657811b9b2ade0e36abdf4c0668d9f847de3

Download Submit
C:\Users\Admin\Desktop\00000000.res

Filesize
136B

MD5
a5e17de748ee22ff8a478810b8bd005c

SHA1
3b884091a07cb997148c4c55b3bd1f98db5b887b

SHA256
9a3a2f6de447dcebae7c47c3a31f60fdb0af908d6b7eebe41bd54319ad4d07ee

SHA512
982056337b3437dc10d6e8d2456a6754b67bfe7a3dd8558ffd7027906ff865e87d8fbcc178ef8258cd1b557d28c81efa7d0d053e359790ce023ef3bc80a615cc

Download Submit
C:\Users\Admin\Desktop\223641722698710.bat

Filesize
318B

MD5
b741d0951bc2d29318d75208913ea377

SHA1
a13de54ccfbd4ea29d9f78b86615b028bd50d0a5

SHA256
595dc1b7a6f1d7933c2d142d773e445dbc7b1a2089243b51193bc7f730b1c8df

SHA512
bf7b44ba7f0cfe093b24f26b288b715c0f0910fa7dc5f318edfc5c4fdc8c9b8a3b6ced5b61672ecfa9820ffd054b5bc2650ae0812804d2b3fc901aa06dd3ca14

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
472B

MD5
74775c0ecb72c20fb66009e828b6c26e

SHA1
a72edbdebc6651efe63c4c363f5296d2fdf3fe54

SHA256
51658c4d28328afb232be6f71a4c40dc60401e7bbfdc163b624409a9ca6186c0

SHA512
9a9a08a8e6b0798273f819bc848760605aefbc80f08ba1f14d216dfb0c9ce5b9e0b7f3cf25373c79ec1061b9ba72c9337d134cd6660755e8158ba3e7e8b4180e

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Desktop\m.vbs

Filesize
197B

MD5
94bdc24abf89cb36e00816911e6ae19e

SHA1
87335eea1d8eb1d70e715cc88daf248bb1f83021

SHA256
e9757f002a632de82ff9bd1283f90bcff2eec4ce6926f8b7e37879ff0c518660

SHA512
3bec73a3c6360499bb280aec0562157cda47c8ed11e3b1280c4fb8a457ab48dc1f3aea42d6a0d5c2842d60ca09436da96ef7136c0652d2b5c613fae87799ac0f

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Desktop\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Desktop\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Desktop\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Desktop\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Desktop\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Desktop\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Desktop\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Desktop\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Desktop\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Desktop\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Desktop\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Desktop\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Desktop\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Desktop\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Desktop\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Desktop\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Desktop\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Desktop\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Desktop\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Desktop\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2._7pj41yj.0-master.zip.part

Filesize
3.3MB

MD5
017f199a7a5f1e090e10bbd3e9c885ca

SHA1
4e545b77d1be2445b2f0163ab2d6f2f01ec4ca05

SHA256
761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

SHA512
76215a26588204247027dcfdab4ea583443b2b2873ff92ad7dd5e9a9037c77d20ab4e471b8dd83e642d8481f53dbc0f83f993548dc7d151dead48dc29c1fdc22

Download Submit
C:\Users\Admin\Downloads\SQxlCMQ0.zip.part

Filesize
8KB

MD5
a043dc5c624d091f7c2600dd18b300b7

SHA1
4682f79dabfc6da05441e2b6d820382ff02b4c58

SHA256
0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

SHA512
ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

Download Submit
\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
memory/1772-2078-0x0000000071750000-0x00000000717C7000-memory.dmp

Filesize
476KB

Download
memory/1772-2081-0x0000000071470000-0x0000000071492000-memory.dmp

Filesize
136KB

Download
memory/1772-2068-0x0000000071530000-0x000000007174C000-memory.dmp

Filesize
2.1MB

Download
memory/1772-2070-0x0000000071470000-0x0000000071492000-memory.dmp

Filesize
136KB

Download
memory/1772-2071-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-3063-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-3297-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-3067-0x0000000071530000-0x000000007174C000-memory.dmp

Filesize
2.1MB

Download
memory/1772-2075-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-3326-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-2080-0x00000000714A0000-0x0000000071522000-memory.dmp

Filesize
520KB

Download
memory/1772-2067-0x00000000717D0000-0x0000000071852000-memory.dmp

Filesize
520KB

Download
memory/1772-2079-0x0000000071530000-0x000000007174C000-memory.dmp

Filesize
2.1MB

Download
memory/1772-2288-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-2077-0x0000000073BE0000-0x0000000073BFC000-memory.dmp

Filesize
112KB

Download
memory/1772-2076-0x00000000717D0000-0x0000000071852000-memory.dmp

Filesize
520KB

Download
memory/1772-2083-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-2093-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/1772-2292-0x0000000071530000-0x000000007174C000-memory.dmp

Filesize
2.1MB

Download
memory/1772-2097-0x0000000071530000-0x000000007174C000-memory.dmp

Filesize
2.1MB

Download
memory/1772-2228-0x0000000071530000-0x000000007174C000-memory.dmp

Filesize
2.1MB

Download
memory/1772-2069-0x00000000714A0000-0x0000000071522000-memory.dmp

Filesize
520KB

Download
memory/1772-2224-0x0000000000BE0000-0x0000000000EDE000-memory.dmp

Filesize
3.0MB

Download
memory/2816-1055-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download