VMRay Analyzer Report for Sample #17425 VMRay Analyzer 2.1.0 Process 1 2720 wanacry6.malware.exe 312 wanacry6.malware.exe "C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe" C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Created Opened Opened Opened Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Connected_To Connected_To Process 2 2932 cmd.exe 2720 cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Child_Of Child_Of Created Opened Opened Opened Opened Opened Process 3 2948 conhost.exe 2932 conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff C:\Windows c:\windows\system32\conhost.exe Process 4 3016 schtasks.exe 2932 schtasks.exe schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\schtasks.exe Child_Of Opened Process 5 816 svchost.exe 512 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\system32\svchost.exe Process 6 1636 cmd.exe 2720 cmd.exe C:\Windows\system32\cmd.exe /C title 4180649|vssadmin.exe Delete Shadows /All /Quiet C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Child_Of Child_Of Child_Of Created Opened Opened Opened Opened Opened Process 7 2472 cmd.exe 2720 cmd.exe C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Child_Of Child_Of Child_Of Created Opened Opened Opened Opened Opened Process 8 1524 cmd.exe 2720 cmd.exe C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Child_Of Child_Of Child_Of Created Opened Opened Opened Opened Opened Process 9 2092 conhost.exe 1636 conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff C:\Windows c:\windows\system32\conhost.exe Process 10 2112 conhost.exe 2472 conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff C:\Windows c:\windows\system32\conhost.exe Process 11 2100 conhost.exe 1524 conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff C:\Windows c:\windows\system32\conhost.exe Process 12 1452 dllhost.exe 576 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 13 1932 cmd.exe 2472 cmd.exe C:\Windows\system32\cmd.exe /S /D /c" title 9538298" C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Opened Opened Opened Opened Opened Process 14 2164 bcdedit.exe 2472 bcdedit.exe bcdedit /set {default} recoveryenabled No C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\bcdedit.exe Process 15 2300 cmd.exe 1636 cmd.exe C:\Windows\system32\cmd.exe /S /D /c" title 4180649" C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Opened Opened Opened Opened Opened Process 16 2312 vssadmin.exe 1636 vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\vssadmin.exe Child_Of Process 17 2208 cmd.exe 1524 cmd.exe C:\Windows\system32\cmd.exe /S /D /c" title 8997147" C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\cmd.exe Opened Opened Opened Opened Opened Process 18 2360 bcdedit.exe 1524 bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Users\5JgHKoaOfdp\Desktop\ c:\windows\system32\bcdedit.exe Process 19 2176 wanacr~1.exe 2720 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Created Created Opened Opened Process 20 792 vssvc.exe 512 vssvc.exe C:\Windows\system32\vssvc.exe C:\Windows\system32\ c:\windows\system32\vssvc.exe Child_Of Process 21 2872 svchost.exe 512 svchost.exe C:\Windows\System32\svchost.exe -k swprv C:\Windows\system32\ c:\windows\system32\svchost.exe Process 22 2172 wanacr~1.exe 2176 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Created Opened Opened Process 23 2496 wanacr~1.exe 2172 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Created Opened Opened Process 24 2620 wanacr~1.exe 2496 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Created Opened Opened Process 25 2784 wanacr~1.exe 2620 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Created Opened Opened Process 26 2652 wanacr~1.exe 2784 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Created Opened Opened Process 27 2696 wanacr~1.exe 2652 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Created Opened Opened Process 28 2408 wanacr~1.exe 2696 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Child_Of Created Opened Opened Opened Read_From Read_From Created Created Opened Opened Process 29 824 wanacr~1.exe 2408 wanacr~1.exe C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE C:\Users\5JgHKoaOfdp\Desktop\ c:\users\5jghko~1\desktop\wanacr~1.exe Opened Opened Opened Read_From Read_From Created Created Opened Opened Process 30 4 System 18446744073709551615 System None System Child_Of Process 31 236 smss.exe 4 smss.exe \SystemRoot\System32\smss.exe C:\Windows c:\windows\system32\smss.exe Child_Of Child_Of Child_Of Process 32 252 autochk.exe 236 autochk.exe \??\C:\Windows\system32\autochk.exe * C:\Windows\system32\ c:\windows\system32\autochk.exe Process 33 304 smss.exe 236 smss.exe \SystemRoot\System32\smss.exe 00000000 00000050 C:\Windows\ c:\windows\system32\smss.exe Child_Of Child_Of Process 34 320 csrss.exe 304 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 C:\Windows\system32\ c:\windows\system32\csrss.exe Process 35 380 smss.exe 236 smss.exe \SystemRoot\System32\smss.exe 00000001 00000050 C:\Windows\ c:\windows\system32\smss.exe Child_Of Child_Of Process 36 388 wininit.exe 304 wininit.exe wininit.exe C:\Windows\system32\ c:\windows\system32\wininit.exe Child_Of Child_Of Process 37 396 csrss.exe 380 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 C:\Windows\system32\ c:\windows\system32\csrss.exe Process 38 424 winlogon.exe 380 winlogon.exe winlogon.exe C:\Windows\system32\ c:\windows\system32\winlogon.exe Child_Of Child_Of Child_Of Process 39 460 services.exe 388 services.exe C:\Windows\system32\services.exe C:\Windows\system32\ c:\windows\system32\services.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Process 40 468 lsass.exe 388 lsass.exe C:\Windows\system32\lsass.exe C:\Windows\system32\ c:\windows\system32\lsass.exe Process 41 552 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Process 42 580 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\ c:\windows\system32\svchost.exe Process 43 660 dwm.exe 424 dwm.exe "dwm.exe" C:\Windows\system32\ c:\windows\system32\dwm.exe Process 44 668 logonui.exe 424 logonui.exe "LogonUI.exe" /flags:0x0 C:\Windows\system32\ c:\windows\system32\logonui.exe Process 45 772 svchost.exe 460 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Process 46 800 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Process 47 848 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 48 888 svchost.exe 460 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe Process 49 224 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 50 280 dllhost.exe 552 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 51 988 spoolsv.exe 460 spoolsv.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\ c:\windows\system32\spoolsv.exe Process 52 1016 userinit.exe 424 userinit.exe C:\Windows\system32\userinit.exe C:\Windows\system32\ c:\windows\system32\userinit.exe Child_Of Process 53 564 taskhost.exe 800 taskhost.exe taskhost.exe C:\Windows\system32\ c:\windows\system32\taskhost.exe Process 54 1048 explorer.exe 1016 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32\ c:\windows\explorer.exe Process 55 1056 taskhostex.exe 800 taskhostex.exe taskhostex.exe C:\Windows\system32\ c:\windows\system32\taskhostex.exe Process 56 1080 taskhost.exe 800 taskhost.exe taskhost.exe USER C:\Windows\system32\ c:\windows\system32\taskhost.exe Process 57 1088 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\ c:\windows\system32\svchost.exe Process 58 1104 wanacr~1.exe 800 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 59 1116 msoia.exe 800 msoia.exe "C:\Program Files\Microsoft Office\Office15\msoia.exe" scan upload C:\Windows\system32\ c:\program files\microsoft office\office15\msoia.exe Process 60 1216 taskhost.exe 800 taskhost.exe taskhost.exe TpmTasks C:\Windows\system32\ c:\windows\system32\taskhost.exe Process 61 1432 dllhost.exe 552 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 62 1536 thumbnailextractionhost.exe 552 thumbnailextractionhost.exe C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding C:\Windows\system32\ c:\windows\system32\thumbnailextractionhost.exe Process 63 1584 armsvc.exe 460 armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" C:\Windows\system32\ c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe Process 64 1704 dllhost.exe 552 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} C:\Windows\system32\ c:\windows\system32\dllhost.exe Process 65 1972 svchost.exe 460 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\ c:\windows\system32\svchost.exe Process 66 948 taskhost.exe 800 taskhost.exe taskhost.exe C:\Windows\system32\ c:\windows\system32\taskhost.exe Process 67 1812 mobsync.exe 552 mobsync.exe C:\Windows\System32\mobsync.exe -Embedding C:\Windows\system32\ c:\windows\system32\mobsync.exe Process 68 2232 audiodg.exe 772 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x7d8 C:\Windows c:\windows\system32\audiodg.exe Process 69 2284 wanacr~1.exe 1104 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 70 2320 wanacr~1.exe 2284 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 71 2356 wanacr~1.exe 2320 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 72 2392 wanacr~1.exe 2356 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 73 2432 wanacr~1.exe 2392 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 74 2468 wanacr~1.exe 2432 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 75 2504 wanacr~1.exe 2468 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 76 2520 thumbnailextractionhost.exe 552 thumbnailextractionhost.exe C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding C:\Windows\system32\ c:\windows\system32\thumbnailextractionhost.exe Process 77 2568 wanacr~1.exe 2504 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 78 2624 wanacr~1.exe 2568 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 79 2660 wanacr~1.exe 2624 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 80 2696 wanacr~1.exe 2660 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 81 2732 wanacr~1.exe 2696 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 82 2768 wanacr~1.exe 2732 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 83 2804 wanacr~1.exe 2768 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 84 2840 wanacr~1.exe 2804 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Child_Of Process 85 2876 wanacr~1.exe 2840 wanacr~1.exe C:\PROGRA~1\COMMON~1\WANACR~1.EXE C:\Windows\system32\ c:\progra~1\common~1\wanacr~1.exe Process 86 2176 sppsvc.exe 460 sppsvc.exe C:\Windows\system32\sppsvc.exe C:\Windows c:\windows\system32\sppsvc.exe Read_From Moved Wrote_To Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File users\5jghkoaofdp\contacts\lulcit amkdfe.contact users\5jghkoaofdp\contacts\lulcit amkdfe.contact c:\ c:\users\5jghkoaofdp\contacts\lulcit amkdfe.contact contact File users\5jghkoaofdp\desktop\-kar\g_kf.mp3 users\5jghkoaofdp\desktop\-kar\g_kf.mp3 c:\ c:\users\5jghkoaofdp\desktop\-kar\g_kf.mp3 mp3 File users\5jghkoaofdp\desktop\-kar\g_kf.encrypted.mp3 users\5jghkoaofdp\desktop\-kar\g_kf.encrypted.mp3 c:\ c:\users\5jghkoaofdp\desktop\-kar\g_kf.encrypted.mp3 mp3 MD5 b79e63555e23b2edc0e00c32a4fa0884 SHA1 f95d612fba79eae8bfc1d1fdee957cd12534acee SHA256 57d1b0bdf7f65da952686fdfa495272005fc07c3c1580ee2e6d2b90b640c0639 File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt MD5 2605c07ccc62b24d2b318ca3a5718e24 SHA1 2125d239b98eb975eb7d8f7fe6684d7051b9d704 SHA256 23c0459b4ce51d5a150c875212bdbfbfcf7f77fb7aa8946272751b5450c1dbce File users\5jghkoaofdp\desktop\-kar\jbm6x5wvpb3d4o.m4a users\5jghkoaofdp\desktop\-kar\jbm6x5wvpb3d4o.m4a c:\ c:\users\5jghkoaofdp\desktop\-kar\jbm6x5wvpb3d4o.m4a m4a File users\5jghkoaofdp\desktop\-kar\jbm6x5wvpb3d4o.encrypted.m4a users\5jghkoaofdp\desktop\-kar\jbm6x5wvpb3d4o.encrypted.m4a c:\ c:\users\5jghkoaofdp\desktop\-kar\jbm6x5wvpb3d4o.encrypted.m4a m4a File users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.wav users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.wav c:\ c:\users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.wav wav File users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.encrypted.wav users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.encrypted.wav c:\ c:\users\5jghkoaofdp\desktop\-kar\mbc0rw8uo_of3f5.encrypted.wav wav MD5 2e958962673a31fd916c7cca5ba74d68 SHA1 0c0cd7f94849a45609df2950f31065fbf73645fa SHA256 709c7d125d92a8dcfcffb0def0aa88ba170418d6c00cce93575c7d388bbb4a46 File users\5jghkoaofdp\desktop\-kar\otnowkvparpdclpl.flv users\5jghkoaofdp\desktop\-kar\otnowkvparpdclpl.flv c:\ c:\users\5jghkoaofdp\desktop\-kar\otnowkvparpdclpl.flv flv File users\5jghkoaofdp\desktop\-kar\otnowkvparpdclpl.encrypted.flv users\5jghkoaofdp\desktop\-kar\otnowkvparpdclpl.encrypted.flv c:\ c:\users\5jghkoaofdp\desktop\-kar\otnowkvparpdclpl.encrypted.flv flv File users\5jghkoaofdp\desktop\-kar\p62ra6fyb gp.mp4 users\5jghkoaofdp\desktop\-kar\p62ra6fyb gp.mp4 c:\ c:\users\5jghkoaofdp\desktop\-kar\p62ra6fyb gp.mp4 mp4 File users\5jghkoaofdp\desktop\-kar\p62ra6fyb gp.encrypted.mp4 users\5jghkoaofdp\desktop\-kar\p62ra6fyb gp.encrypted.mp4 c:\ c:\users\5jghkoaofdp\desktop\-kar\p62ra6fyb gp.encrypted.mp4 mp4 File users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.docx users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.docx c:\ c:\users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.docx docx File users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.encrypted.docx users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.encrypted.docx c:\ c:\users\5jghkoaofdp\desktop\0-0nsqtjx3oqok.encrypted.docx docx MD5 c73c9e08a23aab918b0022c37f3bbd03 SHA1 d98475693e54efa2a80879e01c9f572495d0a2b8 SHA256 fca4a8eae9c17d525c6d3a006f7e1d332ad2975a307c5487b2d42b55a259eaef File users\5jghkoaofdp\desktop\2u 4q.mkv users\5jghkoaofdp\desktop\2u 4q.mkv c:\ c:\users\5jghkoaofdp\desktop\2u 4q.mkv mkv File users\5jghkoaofdp\desktop\2u 4q.encrypted.mkv users\5jghkoaofdp\desktop\2u 4q.encrypted.mkv c:\ c:\users\5jghkoaofdp\desktop\2u 4q.encrypted.mkv mkv File users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.bmp users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.bmp c:\ c:\users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.bmp bmp File users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.encrypted.bmp users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.encrypted.bmp c:\ c:\users\5jghkoaofdp\desktop\4ghbrlq-jktwuq.encrypted.bmp bmp MD5 980fdc20d3574dcec166792ad5df9c37 SHA1 382f94c8be36973f1b3b1ea0fa6dd9afb52e4fc2 SHA256 e49c2af279005228f4e6296948c9f19b1cca25b0bc09f6807170c87663d8eb9d File users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.bmp users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.bmp c:\ c:\users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.bmp bmp File users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.encrypted.bmp users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.encrypted.bmp c:\ c:\users\5jghkoaofdp\desktop\b1drbf6bjih2t5r.encrypted.bmp bmp MD5 83fb70c75a3824acc0433299350e560d SHA1 355a97c3fdb3ea08794d93b0971f2cada20ec94c SHA256 be1b6eb108483866a017b48a922e2e39cae4330d1ca002b2d188f466cb1f1508 File users\5jghkoaofdp\desktop\cchnli nseui.mp3 users\5jghkoaofdp\desktop\cchnli nseui.mp3 c:\ c:\users\5jghkoaofdp\desktop\cchnli nseui.mp3 mp3 File users\5jghkoaofdp\desktop\cchnli nseui.encrypted.mp3 users\5jghkoaofdp\desktop\cchnli nseui.encrypted.mp3 c:\ c:\users\5jghkoaofdp\desktop\cchnli nseui.encrypted.mp3 mp3 MD5 640b1339f17aede2881af1ab059658d9 SHA1 2de17d959a3827be3338bebeb537e38ad7ebe028 SHA256 49ddba6f04e525494e892afae7beac4d467c046bd90b9214e1150234d00e1d9c File users\5jghkoaofdp\desktop\desktop.ini users\5jghkoaofdp\desktop\desktop.ini c:\ c:\users\5jghkoaofdp\desktop\desktop.ini ini File users\5jghkoaofdp\desktop\djg5lkzha.bmp users\5jghkoaofdp\desktop\djg5lkzha.bmp c:\ c:\users\5jghkoaofdp\desktop\djg5lkzha.bmp bmp File users\5jghkoaofdp\desktop\djg5lkzha.encrypted.bmp users\5jghkoaofdp\desktop\djg5lkzha.encrypted.bmp c:\ c:\users\5jghkoaofdp\desktop\djg5lkzha.encrypted.bmp bmp MD5 e6731e0cbaae9ee9555d8a0720bea8a8 SHA1 4cb7fea782fe5a1e90e10857cb4a6ea62d0c3c51 SHA256 2e71b395f3142cc8ac2277a8343b5103c00b2219eba017c147797353bf97b1c8 File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\2qhnnllstx60xk.swf users\5jghkoaofdp\desktop\fmgvztmzkdkwm\2qhnnllstx60xk.swf c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\2qhnnllstx60xk.swf swf File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\2qhnnllstx60xk.encrypted.swf users\5jghkoaofdp\desktop\fmgvztmzkdkwm\2qhnnllstx60xk.encrypted.swf c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\2qhnnllstx60xk.encrypted.swf swf File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.m4a users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.m4a c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.m4a m4a File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.encrypted.m4a users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.encrypted.m4a c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\a7bot.encrypted.m4a m4a MD5 2101bf89a5552dcb03eb124768d0e442 SHA1 7cd777faf79bcb117df6f22d7222f5d3e9865d65 SHA256 4c42cfd7677e7031389302fc0ea5de3eb28c35ec6fb056ede2a516200113f851 File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\bxinkfdkl7n6uh.encrypted.mkv users\5jghkoaofdp\desktop\fmgvztmzkdkwm\bxinkfdkl7n6uh.encrypted.mkv c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\bxinkfdkl7n6uh.encrypted.mkv mkv File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\mkl8.flv users\5jghkoaofdp\desktop\fmgvztmzkdkwm\mkl8.flv c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\mkl8.flv flv File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\mkl8.encrypted.flv users\5jghkoaofdp\desktop\fmgvztmzkdkwm\mkl8.encrypted.flv c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\mkl8.encrypted.flv flv File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\o7 bldhx4t31hlq.wav users\5jghkoaofdp\desktop\fmgvztmzkdkwm\o7 bldhx4t31hlq.wav c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\o7 bldhx4t31hlq.wav wav File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\o7 bldhx4t31hlq.encrypted.wav users\5jghkoaofdp\desktop\fmgvztmzkdkwm\o7 bldhx4t31hlq.encrypted.wav c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\o7 bldhx4t31hlq.encrypted.wav wav File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\umorr9mp.csv users\5jghkoaofdp\desktop\fmgvztmzkdkwm\umorr9mp.csv c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\umorr9mp.csv csv File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\umorr9mp.encrypted.csv users\5jghkoaofdp\desktop\fmgvztmzkdkwm\umorr9mp.encrypted.csv c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\umorr9mp.encrypted.csv csv File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\x9pgurd2luftykx.avi users\5jghkoaofdp\desktop\fmgvztmzkdkwm\x9pgurd2luftykx.avi c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\x9pgurd2luftykx.avi avi File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\x9pgurd2luftykx.encrypted.avi users\5jghkoaofdp\desktop\fmgvztmzkdkwm\x9pgurd2luftykx.encrypted.avi c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\x9pgurd2luftykx.encrypted.avi avi File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\xkrc6.gif users\5jghkoaofdp\desktop\fmgvztmzkdkwm\xkrc6.gif c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\xkrc6.gif gif File users\5jghkoaofdp\desktop\fmgvztmzkdkwm\xkrc6.encrypted.gif users\5jghkoaofdp\desktop\fmgvztmzkdkwm\xkrc6.encrypted.gif c:\ c:\users\5jghkoaofdp\desktop\fmgvztmzkdkwm\xkrc6.encrypted.gif gif File users\5jghkoaofdp\desktop\frzbojgkva5c6myj.mp4 users\5jghkoaofdp\desktop\frzbojgkva5c6myj.mp4 c:\ c:\users\5jghkoaofdp\desktop\frzbojgkva5c6myj.mp4 mp4 File users\5jghkoaofdp\desktop\frzbojgkva5c6myj.encrypted.mp4 users\5jghkoaofdp\desktop\frzbojgkva5c6myj.encrypted.mp4 c:\ c:\users\5jghkoaofdp\desktop\frzbojgkva5c6myj.encrypted.mp4 mp4 MD5 10c1a84a32519315c52d7c62eb634392 SHA1 fd89dc77f465db303f24e0c6ebbcb51f9966be41 SHA256 d10a7d942c17af5f2d67abc15d0bdfbe74262dc63dd64a8939a03edbb827e9bf File users\5jghkoaofdp\desktop\i0uzhq1vo1kg.ods users\5jghkoaofdp\desktop\i0uzhq1vo1kg.ods c:\ c:\users\5jghkoaofdp\desktop\i0uzhq1vo1kg.ods ods File users\5jghkoaofdp\desktop\i0uzhq1vo1kg.encrypted.ods users\5jghkoaofdp\desktop\i0uzhq1vo1kg.encrypted.ods c:\ c:\users\5jghkoaofdp\desktop\i0uzhq1vo1kg.encrypted.ods ods File users\5jghkoaofdp\desktop\jmyon8-h.mp3 users\5jghkoaofdp\desktop\jmyon8-h.mp3 c:\ c:\users\5jghkoaofdp\desktop\jmyon8-h.mp3 mp3 File users\5jghkoaofdp\desktop\jyth35ywow4cde5jd.odp users\5jghkoaofdp\desktop\jyth35ywow4cde5jd.odp c:\ c:\users\5jghkoaofdp\desktop\jyth35ywow4cde5jd.odp odp File users\5jghkoaofdp\desktop\k3ebs8.docx users\5jghkoaofdp\desktop\k3ebs8.docx c:\ c:\users\5jghkoaofdp\desktop\k3ebs8.docx docx File users\5jghkoaofdp\desktop\k3ebs8.encrypted.docx users\5jghkoaofdp\desktop\k3ebs8.encrypted.docx c:\ c:\users\5jghkoaofdp\desktop\k3ebs8.encrypted.docx docx MD5 8646a831d8aa6b5cdb95285c310de920 SHA1 25f3599cd5f77eb5da49b54d910539b485441d75 SHA256 9b6abb86be95d8762d6459910e4d3e029008f71848102b0961f0d1993e410fb1 File users\5jghkoaofdp\desktop\k9uoo8fw7r.jpg users\5jghkoaofdp\desktop\k9uoo8fw7r.jpg c:\ c:\users\5jghkoaofdp\desktop\k9uoo8fw7r.jpg jpg File users\5jghkoaofdp\desktop\k9uoo8fw7r.encrypted.jpg users\5jghkoaofdp\desktop\k9uoo8fw7r.encrypted.jpg c:\ c:\users\5jghkoaofdp\desktop\k9uoo8fw7r.encrypted.jpg jpg MD5 a68bf9f8d438a33cbe510005f6e874dc SHA1 a3c741303af0316b3571ba09551b156b195df33d SHA256 61269a23824a019c70e6d2bc511b3ca58b1b19e0901d9877b3b5cc23842b71db File users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.jpg users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.jpg c:\ c:\users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.jpg jpg File users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.encrypted.jpg users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.encrypted.jpg c:\ c:\users\5jghkoaofdp\desktop\kqg5xtni4dupero o1m.encrypted.jpg jpg MD5 760f09c85f27d0bc3898cea6ec12bfb2 SHA1 c1ba11bb7749491ae94893ec62ae5b2f9845cbac SHA256 fce006e9807cd3825630e132f3e5c14c578b026c5ac7f2d3f4cca58f38b793b2 File users\5jghkoaofdp\desktop\lqcvzobthzds7xe9l.swf users\5jghkoaofdp\desktop\lqcvzobthzds7xe9l.swf c:\ c:\users\5jghkoaofdp\desktop\lqcvzobthzds7xe9l.swf swf File users\5jghkoaofdp\desktop\lqcvzobthzds7xe9l.encrypted.swf users\5jghkoaofdp\desktop\lqcvzobthzds7xe9l.encrypted.swf c:\ c:\users\5jghkoaofdp\desktop\lqcvzobthzds7xe9l.encrypted.swf swf File users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.pps users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.pps c:\ c:\users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.pps pps File users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.encrypted.pps users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.encrypted.pps c:\ c:\users\5jghkoaofdp\desktop\m2gzlacpzqejs2kmo8d.encrypted.pps pps MD5 ef0c63672acbc5cae3ffc517fef1c569 SHA1 c126369f546d50277d7435ffe7ac41597a62bcd7 SHA256 0928a4f497025c3cea9b653ef30b21c661e533b913a9d7601be8802733a632fb File users\5jghkoaofdp\desktop\n0ie6v_g.encrypted.avi users\5jghkoaofdp\desktop\n0ie6v_g.encrypted.avi c:\ c:\users\5jghkoaofdp\desktop\n0ie6v_g.encrypted.avi avi MD5 d54ab970520126076248ec39cae01a6c SHA1 5fa715bc50a9c3b3ae121b47b007860592fe3ed9 SHA256 39c67a2966d099967c245ca997ba0ddd70ef68c0a7b397754822d61ca30e5859 File users\5jghkoaofdp\desktop\ostre2ekexrlom6.encrypted.jpg users\5jghkoaofdp\desktop\ostre2ekexrlom6.encrypted.jpg c:\ c:\users\5jghkoaofdp\desktop\ostre2ekexrlom6.encrypted.jpg jpg MD5 8712a2ba179c03a3d086989b13741f44 SHA1 d445747f84d42efd5b5e52a74bd8d64bfb4813f4 SHA256 ba434835eebcfdd209a6c28e47f29d11654df328d75fee34a5b8bb9a2e0dbfa5 File users\5jghkoaofdp\desktop\q768hx7.swf users\5jghkoaofdp\desktop\q768hx7.swf c:\ c:\users\5jghkoaofdp\desktop\q768hx7.swf swf File users\5jghkoaofdp\desktop\q768hx7.encrypted.swf users\5jghkoaofdp\desktop\q768hx7.encrypted.swf c:\ c:\users\5jghkoaofdp\desktop\q768hx7.encrypted.swf swf File users\5jghkoaofdp\desktop\qmknd.odp users\5jghkoaofdp\desktop\qmknd.odp c:\ c:\users\5jghkoaofdp\desktop\qmknd.odp odp File users\5jghkoaofdp\desktop\rvzc3jmnzdykrdzf.mkv users\5jghkoaofdp\desktop\rvzc3jmnzdykrdzf.mkv c:\ c:\users\5jghkoaofdp\desktop\rvzc3jmnzdykrdzf.mkv mkv File users\5jghkoaofdp\desktop\rvzc3jmnzdykrdzf.encrypted.mkv users\5jghkoaofdp\desktop\rvzc3jmnzdykrdzf.encrypted.mkv c:\ c:\users\5jghkoaofdp\desktop\rvzc3jmnzdykrdzf.encrypted.mkv mkv File users\5jghkoaofdp\desktop\uk 6ek_ge.encrypted.png users\5jghkoaofdp\desktop\uk 6ek_ge.encrypted.png c:\ c:\users\5jghkoaofdp\desktop\uk 6ek_ge.encrypted.png png MD5 39c24282dcc2cfdf1a16e0a9dcd353ed SHA1 7740212a7a6d04981889c3eaf3ea9d033cb32024 SHA256 3793173ad68dd2c7672ddedefdd82972f8108f53696d3a9b72e57fbbcb04e6bb File users\5jghkoaofdp\desktop\ur9w.mp3 users\5jghkoaofdp\desktop\ur9w.mp3 c:\ c:\users\5jghkoaofdp\desktop\ur9w.mp3 mp3 File users\5jghkoaofdp\desktop\ur9w.encrypted.mp3 users\5jghkoaofdp\desktop\ur9w.encrypted.mp3 c:\ c:\users\5jghkoaofdp\desktop\ur9w.encrypted.mp3 mp3 MD5 85059cccd2f0472cd50f45dfd1a7ea73 SHA1 1c4328fb34d4c3777daea38904d0185df3e2d60a SHA256 48d2d6d30fa8534a5c172cd867fffb6646c1fa9731ab84cead010826ab1af132 File users\5jghkoaofdp\desktop\xe_1j.avi users\5jghkoaofdp\desktop\xe_1j.avi c:\ c:\users\5jghkoaofdp\desktop\xe_1j.avi avi File users\5jghkoaofdp\desktop\xe_1j.encrypted.avi users\5jghkoaofdp\desktop\xe_1j.encrypted.avi c:\ c:\users\5jghkoaofdp\desktop\xe_1j.encrypted.avi avi MD5 0820b196964244383636e3e10ac13f73 SHA1 3de767680bc25c995536ab7e3f86e77f99172f1e SHA256 eb90f565bb5a91eef0f0ae385e55504966c29b28f5e022365cf740d22057a2af File users\5jghkoaofdp\desktop\ypmyrw0yu.mp3 users\5jghkoaofdp\desktop\ypmyrw0yu.mp3 c:\ c:\users\5jghkoaofdp\desktop\ypmyrw0yu.mp3 mp3 File users\5jghkoaofdp\desktop\ypmyrw0yu.encrypted.mp3 users\5jghkoaofdp\desktop\ypmyrw0yu.encrypted.mp3 c:\ c:\users\5jghkoaofdp\desktop\ypmyrw0yu.encrypted.mp3 mp3 MD5 40ae53155c9e7aa00db5d28fc6195ad3 SHA1 00709944738ba3518b1de353ed414cd2b5733c0d SHA256 26fc40822c979da7e22395d77c5874944ffa64c62c5285b025971dc5bcd235c5 File users\5jghkoaofdp\desktop\zpipq.avi users\5jghkoaofdp\desktop\zpipq.avi c:\ c:\users\5jghkoaofdp\desktop\zpipq.avi avi File users\5jghkoaofdp\documents\-k2qi4d7o1ha.pptx users\5jghkoaofdp\documents\-k2qi4d7o1ha.pptx c:\ c:\users\5jghkoaofdp\documents\-k2qi4d7o1ha.pptx pptx File users\5jghkoaofdp\documents\-k2qi4d7o1ha.encrypted.pptx users\5jghkoaofdp\documents\-k2qi4d7o1ha.encrypted.pptx c:\ c:\users\5jghkoaofdp\documents\-k2qi4d7o1ha.encrypted.pptx pptx File users\5jghkoaofdp\documents\13i0vlibno4qxctb5.odp users\5jghkoaofdp\documents\13i0vlibno4qxctb5.odp c:\ c:\users\5jghkoaofdp\documents\13i0vlibno4qxctb5.odp odp File users\5jghkoaofdp\documents\13i0vlibno4qxctb5.encrypted.odp users\5jghkoaofdp\documents\13i0vlibno4qxctb5.encrypted.odp c:\ c:\users\5jghkoaofdp\documents\13i0vlibno4qxctb5.encrypted.odp odp File users\5jghkoaofdp\documents\2sfmu.docx users\5jghkoaofdp\documents\2sfmu.docx c:\ c:\users\5jghkoaofdp\documents\2sfmu.docx docx File users\5jghkoaofdp\documents\2sfmu.encrypted.docx users\5jghkoaofdp\documents\2sfmu.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\2sfmu.encrypted.docx docx File users\5jghkoaofdp\documents\6hmkgl288io-nw73.docx users\5jghkoaofdp\documents\6hmkgl288io-nw73.docx c:\ c:\users\5jghkoaofdp\documents\6hmkgl288io-nw73.docx docx File users\5jghkoaofdp\documents\6hmkgl288io-nw73.encrypted.docx users\5jghkoaofdp\documents\6hmkgl288io-nw73.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\6hmkgl288io-nw73.encrypted.docx docx File users\5jghkoaofdp\documents\6vp y1.xlsx users\5jghkoaofdp\documents\6vp y1.xlsx c:\ c:\users\5jghkoaofdp\documents\6vp y1.xlsx xlsx File users\5jghkoaofdp\documents\6vp y1.encrypted.xlsx users\5jghkoaofdp\documents\6vp y1.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\6vp y1.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\aqjehdutmjim4m.docx users\5jghkoaofdp\documents\aqjehdutmjim4m.docx c:\ c:\users\5jghkoaofdp\documents\aqjehdutmjim4m.docx docx File users\5jghkoaofdp\documents\b9suel0k8a.xls users\5jghkoaofdp\documents\b9suel0k8a.xls c:\ c:\users\5jghkoaofdp\documents\b9suel0k8a.xls xls File users\5jghkoaofdp\documents\b9suel0k8a.encrypted.xls users\5jghkoaofdp\documents\b9suel0k8a.encrypted.xls c:\ c:\users\5jghkoaofdp\documents\b9suel0k8a.encrypted.xls xls File users\5jghkoaofdp\documents\ecmuw.encrypted.docx users\5jghkoaofdp\documents\ecmuw.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\ecmuw.encrypted.docx docx File users\5jghkoaofdp\documents\f0tlqd_pjitzmwvwmhnx.xlsx users\5jghkoaofdp\documents\f0tlqd_pjitzmwvwmhnx.xlsx c:\ c:\users\5jghkoaofdp\documents\f0tlqd_pjitzmwvwmhnx.xlsx xlsx File users\5jghkoaofdp\documents\f0tlqd_pjitzmwvwmhnx.encrypted.xlsx users\5jghkoaofdp\documents\f0tlqd_pjitzmwvwmhnx.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\f0tlqd_pjitzmwvwmhnx.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.odt users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.odt c:\ c:\users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.odt odt File users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.encrypted.odt users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.encrypted.odt c:\ c:\users\5jghkoaofdp\documents\fw u\6esq8lzbvb5xjb1xlyrd.encrypted.odt odt MD5 d69ed40b6ef264201dd313d96d6951c1 SHA1 ee645d66a78ad34f30b9d90af86f50f213bcfa27 SHA256 446c89e1a7c24649e12ec32e2c3da633bb94342f2d1e751be378bc9435ea87b6 File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\-mcd0g9w-y6.rtf users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\-mcd0g9w-y6.rtf c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\-mcd0g9w-y6.rtf rtf File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\-mcd0g9w-y6.encrypted.rtf users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\-mcd0g9w-y6.encrypted.rtf c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\-mcd0g9w-y6.encrypted.rtf rtf File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\3 ljxnivpnpfouwlcih-.pptx users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\3 ljxnivpnpfouwlcih-.pptx c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\3 ljxnivpnpfouwlcih-.pptx pptx File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\3 ljxnivpnpfouwlcih-.encrypted.pptx users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\3 ljxnivpnpfouwlcih-.encrypted.pptx c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\3 ljxnivpnpfouwlcih-.encrypted.pptx pptx File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\u9ofxvyam-srgnq.doc users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\u9ofxvyam-srgnq.doc c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\u9ofxvyam-srgnq.doc doc File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\u9ofxvyam-srgnq.encrypted.doc users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\u9ofxvyam-srgnq.encrypted.doc c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\u9ofxvyam-srgnq.encrypted.doc doc File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.pps users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.pps c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.pps pps File users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.encrypted.pps users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.encrypted.pps c:\ c:\users\5jghkoaofdp\documents\fw u\dqohpg0nf9r1mosxu\wkbfm0bgic5.encrypted.pps pps MD5 016becc51450c820dde6162f0ac08715 SHA1 3c89849ac87f40f76cac4658dadba6f778632906 SHA256 c9351874bc42f12d279b4559b9a3ae1c996c20baa21473a8714151a4c9ac6b89 File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\act2argtylahcfwx ti2.encrypted.pps users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\act2argtylahcfwx ti2.encrypted.pps c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\act2argtylahcfwx ti2.encrypted.pps pps File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\dpjxt01pyg1dsu8dgdrx.pdf users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\dpjxt01pyg1dsu8dgdrx.pdf c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\dpjxt01pyg1dsu8dgdrx.pdf pdf File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\dpjxt01pyg1dsu8dgdrx.encrypted.pdf users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\dpjxt01pyg1dsu8dgdrx.encrypted.pdf c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\dpjxt01pyg1dsu8dgdrx.encrypted.pdf pdf File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\h_idtn9q4xor8as.ots users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\h_idtn9q4xor8as.ots c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\h_idtn9q4xor8as.ots ots File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\h_idtn9q4xor8as.encrypted.ots users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\h_idtn9q4xor8as.encrypted.ots c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\h_idtn9q4xor8as.encrypted.ots ots File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\par3v.docx users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\par3v.docx c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\par3v.docx docx File users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\par3v.encrypted.docx users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\par3v.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\fw u\gifhucqicytovjewuyw\par3v.encrypted.docx docx File users\5jghkoaofdp\documents\fw u\gmgulv1jfwyowc.pdf users\5jghkoaofdp\documents\fw u\gmgulv1jfwyowc.pdf c:\ c:\users\5jghkoaofdp\documents\fw u\gmgulv1jfwyowc.pdf pdf File users\5jghkoaofdp\documents\fw u\gmgulv1jfwyowc.encrypted.pdf users\5jghkoaofdp\documents\fw u\gmgulv1jfwyowc.encrypted.pdf c:\ c:\users\5jghkoaofdp\documents\fw u\gmgulv1jfwyowc.encrypted.pdf pdf File users\5jghkoaofdp\documents\fw u\ixoskeriaoimk.ods users\5jghkoaofdp\documents\fw u\ixoskeriaoimk.ods c:\ c:\users\5jghkoaofdp\documents\fw u\ixoskeriaoimk.ods ods File users\5jghkoaofdp\documents\fw u\ixoskeriaoimk.encrypted.ods users\5jghkoaofdp\documents\fw u\ixoskeriaoimk.encrypted.ods c:\ c:\users\5jghkoaofdp\documents\fw u\ixoskeriaoimk.encrypted.ods ods File users\5jghkoaofdp\documents\fw u\qhhai\2-l_bj82.pps users\5jghkoaofdp\documents\fw u\qhhai\2-l_bj82.pps c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\2-l_bj82.pps pps File users\5jghkoaofdp\documents\fw u\qhhai\2-l_bj82.encrypted.pps users\5jghkoaofdp\documents\fw u\qhhai\2-l_bj82.encrypted.pps c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\2-l_bj82.encrypted.pps pps File users\5jghkoaofdp\documents\fw u\qhhai\bftnn-lfcqrk6y3v.ods users\5jghkoaofdp\documents\fw u\qhhai\bftnn-lfcqrk6y3v.ods c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\bftnn-lfcqrk6y3v.ods ods File users\5jghkoaofdp\documents\fw u\qhhai\bftnn-lfcqrk6y3v.encrypted.ods users\5jghkoaofdp\documents\fw u\qhhai\bftnn-lfcqrk6y3v.encrypted.ods c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\bftnn-lfcqrk6y3v.encrypted.ods ods File users\5jghkoaofdp\documents\fw u\qhhai\fpffavx.rtf users\5jghkoaofdp\documents\fw u\qhhai\fpffavx.rtf c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\fpffavx.rtf rtf File users\5jghkoaofdp\documents\fw u\qhhai\fpffavx.encrypted.rtf users\5jghkoaofdp\documents\fw u\qhhai\fpffavx.encrypted.rtf c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\fpffavx.encrypted.rtf rtf File users\5jghkoaofdp\documents\fw u\qhhai\gozxv-s.xlsx users\5jghkoaofdp\documents\fw u\qhhai\gozxv-s.xlsx c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\gozxv-s.xlsx xlsx File users\5jghkoaofdp\documents\fw u\qhhai\gozxv-s.encrypted.xlsx users\5jghkoaofdp\documents\fw u\qhhai\gozxv-s.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\gozxv-s.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\fw u\qhhai\lxe-5p6iu.encrypted.pdf users\5jghkoaofdp\documents\fw u\qhhai\lxe-5p6iu.encrypted.pdf c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\lxe-5p6iu.encrypted.pdf pdf File users\5jghkoaofdp\documents\fw u\qhhai\mz7ef7dcig3 gnt3v.xls users\5jghkoaofdp\documents\fw u\qhhai\mz7ef7dcig3 gnt3v.xls c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\mz7ef7dcig3 gnt3v.xls xls File users\5jghkoaofdp\documents\fw u\qhhai\mz7ef7dcig3 gnt3v.encrypted.xls users\5jghkoaofdp\documents\fw u\qhhai\mz7ef7dcig3 gnt3v.encrypted.xls c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\mz7ef7dcig3 gnt3v.encrypted.xls xls File users\5jghkoaofdp\documents\fw u\qhhai\ohqsvpub.encrypted.docx users\5jghkoaofdp\documents\fw u\qhhai\ohqsvpub.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\ohqsvpub.encrypted.docx docx File users\5jghkoaofdp\documents\fw u\qhhai\z qh-1_5g2nypxao.rtf users\5jghkoaofdp\documents\fw u\qhhai\z qh-1_5g2nypxao.rtf c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\z qh-1_5g2nypxao.rtf rtf File users\5jghkoaofdp\documents\fw u\qhhai\z qh-1_5g2nypxao.encrypted.rtf users\5jghkoaofdp\documents\fw u\qhhai\z qh-1_5g2nypxao.encrypted.rtf c:\ c:\users\5jghkoaofdp\documents\fw u\qhhai\z qh-1_5g2nypxao.encrypted.rtf rtf File users\5jghkoaofdp\documents\gxvaj.pptx users\5jghkoaofdp\documents\gxvaj.pptx c:\ c:\users\5jghkoaofdp\documents\gxvaj.pptx pptx File users\5jghkoaofdp\documents\gxvaj.encrypted.pptx users\5jghkoaofdp\documents\gxvaj.encrypted.pptx c:\ c:\users\5jghkoaofdp\documents\gxvaj.encrypted.pptx pptx File users\5jghkoaofdp\documents\hynwiycz.csv users\5jghkoaofdp\documents\hynwiycz.csv c:\ c:\users\5jghkoaofdp\documents\hynwiycz.csv csv File users\5jghkoaofdp\documents\hynwiycz.encrypted.csv users\5jghkoaofdp\documents\hynwiycz.encrypted.csv c:\ c:\users\5jghkoaofdp\documents\hynwiycz.encrypted.csv csv File users\5jghkoaofdp\documents\my new app.accdb users\5jghkoaofdp\documents\my new app.accdb c:\ c:\users\5jghkoaofdp\documents\my new app.accdb accdb File users\5jghkoaofdp\documents\my new app.encrypted.accdb users\5jghkoaofdp\documents\my new app.encrypted.accdb c:\ c:\users\5jghkoaofdp\documents\my new app.encrypted.accdb accdb File users\5jghkoaofdp\documents\my shapes\desktop.ini users\5jghkoaofdp\documents\my shapes\desktop.ini c:\ c:\users\5jghkoaofdp\documents\my shapes\desktop.ini ini File users\5jghkoaofdp\documents\my shapes\_private\folder.ico users\5jghkoaofdp\documents\my shapes\_private\folder.ico c:\ c:\users\5jghkoaofdp\documents\my shapes\_private\folder.ico ico File users\5jghkoaofdp\documents\my shapes\_private\folder.encrypted.ico users\5jghkoaofdp\documents\my shapes\_private\folder.encrypted.ico c:\ c:\users\5jghkoaofdp\documents\my shapes\_private\folder.encrypted.ico ico File users\5jghkoaofdp\documents\neafrbuex2u7\-nterrdy.xlsx users\5jghkoaofdp\documents\neafrbuex2u7\-nterrdy.xlsx c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\-nterrdy.xlsx xlsx File users\5jghkoaofdp\documents\neafrbuex2u7\-nterrdy.encrypted.xlsx users\5jghkoaofdp\documents\neafrbuex2u7\-nterrdy.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\-nterrdy.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\neafrbuex2u7\5cq0nxpqprd.xls users\5jghkoaofdp\documents\neafrbuex2u7\5cq0nxpqprd.xls c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\5cq0nxpqprd.xls xls File users\5jghkoaofdp\documents\neafrbuex2u7\5cq0nxpqprd.encrypted.xls users\5jghkoaofdp\documents\neafrbuex2u7\5cq0nxpqprd.encrypted.xls c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\5cq0nxpqprd.encrypted.xls xls File users\5jghkoaofdp\documents\neafrbuex2u7\k27yuqyogg7erx5ry.rtf users\5jghkoaofdp\documents\neafrbuex2u7\k27yuqyogg7erx5ry.rtf c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\k27yuqyogg7erx5ry.rtf rtf File users\5jghkoaofdp\documents\neafrbuex2u7\k27yuqyogg7erx5ry.encrypted.rtf users\5jghkoaofdp\documents\neafrbuex2u7\k27yuqyogg7erx5ry.encrypted.rtf c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\k27yuqyogg7erx5ry.encrypted.rtf rtf File users\5jghkoaofdp\documents\neafrbuex2u7\lil6ph6oee7iutk.ods users\5jghkoaofdp\documents\neafrbuex2u7\lil6ph6oee7iutk.ods c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\lil6ph6oee7iutk.ods ods File users\5jghkoaofdp\documents\neafrbuex2u7\lil6ph6oee7iutk.encrypted.ods users\5jghkoaofdp\documents\neafrbuex2u7\lil6ph6oee7iutk.encrypted.ods c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\lil6ph6oee7iutk.encrypted.ods ods File users\5jghkoaofdp\documents\neafrbuex2u7\ljdvlgso.pps users\5jghkoaofdp\documents\neafrbuex2u7\ljdvlgso.pps c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\ljdvlgso.pps pps File users\5jghkoaofdp\documents\neafrbuex2u7\ljdvlgso.encrypted.pps users\5jghkoaofdp\documents\neafrbuex2u7\ljdvlgso.encrypted.pps c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\ljdvlgso.encrypted.pps pps File users\5jghkoaofdp\documents\neafrbuex2u7\pvndpv7cycnkjebeijov.xlsx users\5jghkoaofdp\documents\neafrbuex2u7\pvndpv7cycnkjebeijov.xlsx c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\pvndpv7cycnkjebeijov.xlsx xlsx File users\5jghkoaofdp\documents\neafrbuex2u7\pvndpv7cycnkjebeijov.encrypted.xlsx users\5jghkoaofdp\documents\neafrbuex2u7\pvndpv7cycnkjebeijov.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\pvndpv7cycnkjebeijov.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\neafrbuex2u7\v2zrxhejbqrq x60dfm7.odp users\5jghkoaofdp\documents\neafrbuex2u7\v2zrxhejbqrq x60dfm7.odp c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\v2zrxhejbqrq x60dfm7.odp odp File users\5jghkoaofdp\documents\neafrbuex2u7\vpx0zm61g2e4ge.doc users\5jghkoaofdp\documents\neafrbuex2u7\vpx0zm61g2e4ge.doc c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\vpx0zm61g2e4ge.doc doc File users\5jghkoaofdp\documents\neafrbuex2u7\xuz02tplujg4do_gi5gm.docx users\5jghkoaofdp\documents\neafrbuex2u7\xuz02tplujg4do_gi5gm.docx c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\xuz02tplujg4do_gi5gm.docx docx File users\5jghkoaofdp\documents\neafrbuex2u7\xuz02tplujg4do_gi5gm.encrypted.docx users\5jghkoaofdp\documents\neafrbuex2u7\xuz02tplujg4do_gi5gm.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\xuz02tplujg4do_gi5gm.encrypted.docx docx File users\5jghkoaofdp\documents\neafrbuex2u7\zg4rgb0kxt-5dpkfb.ods users\5jghkoaofdp\documents\neafrbuex2u7\zg4rgb0kxt-5dpkfb.ods c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\zg4rgb0kxt-5dpkfb.ods ods File users\5jghkoaofdp\documents\neafrbuex2u7\zg4rgb0kxt-5dpkfb.encrypted.ods users\5jghkoaofdp\documents\neafrbuex2u7\zg4rgb0kxt-5dpkfb.encrypted.ods c:\ c:\users\5jghkoaofdp\documents\neafrbuex2u7\zg4rgb0kxt-5dpkfb.encrypted.ods ods File users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.onetoc2 users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.onetoc2 c:\ c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.onetoc2 onetoc2 File users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.encrypted.onetoc2 users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.encrypted.onetoc2 c:\ c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\open notebook.encrypted.onetoc2 onetoc2 File users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.one users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.one c:\ c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.one one File users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.encrypted.one users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.encrypted.one c:\ c:\users\5jghkoaofdp\documents\onenote notebooks\my notebook\quick notes.encrypted.one one MD5 75c6ce6d9424b73aa80240b86b17a7cf SHA1 93cd2fc955c0c334cbde020746710f3f56991f30 SHA256 85181b0f7419ffc6c68e72c1f4d045bd59373416ff48838a0ac19087abaa9c9c File users\5jghkoaofdp\documents\outlook files\cjeijc.diuv@div.com.encrypted.pst users\5jghkoaofdp\documents\outlook files\cjeijc.diuv@div.com.encrypted.pst c:\ c:\users\5jghkoaofdp\documents\outlook files\cjeijc.diuv@div.com.encrypted.pst pst File users\5jghkoaofdp\documents\pldu.docx users\5jghkoaofdp\documents\pldu.docx c:\ c:\users\5jghkoaofdp\documents\pldu.docx docx File users\5jghkoaofdp\documents\pldu.encrypted.docx users\5jghkoaofdp\documents\pldu.encrypted.docx c:\ c:\users\5jghkoaofdp\documents\pldu.encrypted.docx docx MD5 ccdd9bf84db49be6ddecf43581b52990 SHA1 7e49228b19486952f30c7e135d7464f05247f819 SHA256 0b43a83baa0bb26b8f60a8d73f1d067e377ef81a19cd46dbce54a1fce8cb9c4b File users\5jghkoaofdp\documents\tex-fku3alzfvtfyy7.encrypted.pptx users\5jghkoaofdp\documents\tex-fku3alzfvtfyy7.encrypted.pptx c:\ c:\users\5jghkoaofdp\documents\tex-fku3alzfvtfyy7.encrypted.pptx pptx File users\5jghkoaofdp\documents\vlxre2epcij.xlsx users\5jghkoaofdp\documents\vlxre2epcij.xlsx c:\ c:\users\5jghkoaofdp\documents\vlxre2epcij.xlsx xlsx File users\5jghkoaofdp\documents\vlxre2epcij.encrypted.xlsx users\5jghkoaofdp\documents\vlxre2epcij.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\vlxre2epcij.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\xft-x_yfldei9he.pptx users\5jghkoaofdp\documents\xft-x_yfldei9he.pptx c:\ c:\users\5jghkoaofdp\documents\xft-x_yfldei9he.pptx pptx File users\5jghkoaofdp\documents\xft-x_yfldei9he.encrypted.pptx users\5jghkoaofdp\documents\xft-x_yfldei9he.encrypted.pptx c:\ c:\users\5jghkoaofdp\documents\xft-x_yfldei9he.encrypted.pptx pptx File users\5jghkoaofdp\documents\ybk9km-2tdyzmn.xlsx users\5jghkoaofdp\documents\ybk9km-2tdyzmn.xlsx c:\ c:\users\5jghkoaofdp\documents\ybk9km-2tdyzmn.xlsx xlsx File users\5jghkoaofdp\documents\ybk9km-2tdyzmn.encrypted.xlsx users\5jghkoaofdp\documents\ybk9km-2tdyzmn.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\ybk9km-2tdyzmn.encrypted.xlsx xlsx File users\5jghkoaofdp\documents\zbza.xlsx users\5jghkoaofdp\documents\zbza.xlsx c:\ c:\users\5jghkoaofdp\documents\zbza.xlsx xlsx File users\5jghkoaofdp\documents\zd9_fkulwlewhm.xlsx users\5jghkoaofdp\documents\zd9_fkulwlewhm.xlsx c:\ c:\users\5jghkoaofdp\documents\zd9_fkulwlewhm.xlsx xlsx File users\5jghkoaofdp\documents\zd9_fkulwlewhm.encrypted.xlsx users\5jghkoaofdp\documents\zd9_fkulwlewhm.encrypted.xlsx c:\ c:\users\5jghkoaofdp\documents\zd9_fkulwlewhm.encrypted.xlsx xlsx MD5 5103ba382b3ff4928f0be25060ae01be SHA1 c7f3d4c7670d35d579671ccfd78d4801fe5e0ae5 SHA256 7f3b86e47b1d930a6ce211d85cb1f99e1e74dd8591f273948de04be20209b791 File users\5jghkoaofdp\documents\_z34wum36pnqy_aka.pptx users\5jghkoaofdp\documents\_z34wum36pnqy_aka.pptx c:\ c:\users\5jghkoaofdp\documents\_z34wum36pnqy_aka.pptx pptx File users\5jghkoaofdp\documents\_z34wum36pnqy_aka.encrypted.pptx users\5jghkoaofdp\documents\_z34wum36pnqy_aka.encrypted.pptx c:\ c:\users\5jghkoaofdp\documents\_z34wum36pnqy_aka.encrypted.pptx pptx File users\5jghkoaofdp\downloads\chromesetup.exe users\5jghkoaofdp\downloads\chromesetup.exe c:\ c:\users\5jghkoaofdp\downloads\chromesetup.exe exe File users\5jghkoaofdp\downloads\chromesetup.encrypted.exe users\5jghkoaofdp\downloads\chromesetup.encrypted.exe c:\ c:\users\5jghkoaofdp\downloads\chromesetup.encrypted.exe exe File users\5jghkoaofdp\downloads\desktop.ini users\5jghkoaofdp\downloads\desktop.ini c:\ c:\users\5jghkoaofdp\downloads\desktop.ini ini File users\5jghkoaofdp\music\-e7zhxg.wav users\5jghkoaofdp\music\-e7zhxg.wav c:\ c:\users\5jghkoaofdp\music\-e7zhxg.wav wav File users\5jghkoaofdp\music\1ahirtuhyorqs.m4a users\5jghkoaofdp\music\1ahirtuhyorqs.m4a c:\ c:\users\5jghkoaofdp\music\1ahirtuhyorqs.m4a m4a File users\5jghkoaofdp\music\1ahirtuhyorqs.encrypted.m4a users\5jghkoaofdp\music\1ahirtuhyorqs.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\1ahirtuhyorqs.encrypted.m4a m4a File users\5jghkoaofdp\music\1q1ef6.wav users\5jghkoaofdp\music\1q1ef6.wav c:\ c:\users\5jghkoaofdp\music\1q1ef6.wav wav File users\5jghkoaofdp\music\1q1ef6.encrypted.wav users\5jghkoaofdp\music\1q1ef6.encrypted.wav c:\ c:\users\5jghkoaofdp\music\1q1ef6.encrypted.wav wav File users\5jghkoaofdp\music\5gt6ul.mp3 users\5jghkoaofdp\music\5gt6ul.mp3 c:\ c:\users\5jghkoaofdp\music\5gt6ul.mp3 mp3 File users\5jghkoaofdp\music\5gt6ul.encrypted.mp3 users\5jghkoaofdp\music\5gt6ul.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\5gt6ul.encrypted.mp3 mp3 File users\5jghkoaofdp\music\7hpbkbpy8qxzhhut.mp3 users\5jghkoaofdp\music\7hpbkbpy8qxzhhut.mp3 c:\ c:\users\5jghkoaofdp\music\7hpbkbpy8qxzhhut.mp3 mp3 File users\5jghkoaofdp\music\7hpbkbpy8qxzhhut.encrypted.mp3 users\5jghkoaofdp\music\7hpbkbpy8qxzhhut.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\7hpbkbpy8qxzhhut.encrypted.mp3 mp3 File users\5jghkoaofdp\music\desktop.ini users\5jghkoaofdp\music\desktop.ini c:\ c:\users\5jghkoaofdp\music\desktop.ini ini File users\5jghkoaofdp\music\ecv1iylcss.m4a users\5jghkoaofdp\music\ecv1iylcss.m4a c:\ c:\users\5jghkoaofdp\music\ecv1iylcss.m4a m4a File users\5jghkoaofdp\music\ecv1iylcss.encrypted.m4a users\5jghkoaofdp\music\ecv1iylcss.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\ecv1iylcss.encrypted.m4a m4a File users\5jghkoaofdp\music\hfcmwoswhz-hdt.m4a users\5jghkoaofdp\music\hfcmwoswhz-hdt.m4a c:\ c:\users\5jghkoaofdp\music\hfcmwoswhz-hdt.m4a m4a File users\5jghkoaofdp\music\hfcmwoswhz-hdt.encrypted.m4a users\5jghkoaofdp\music\hfcmwoswhz-hdt.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\hfcmwoswhz-hdt.encrypted.m4a m4a File users\5jghkoaofdp\music\nk2ofih.m4a users\5jghkoaofdp\music\nk2ofih.m4a c:\ c:\users\5jghkoaofdp\music\nk2ofih.m4a m4a File users\5jghkoaofdp\music\nk2ofih.encrypted.m4a users\5jghkoaofdp\music\nk2ofih.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\nk2ofih.encrypted.m4a m4a File users\5jghkoaofdp\music\onvmabx84l5xkpsb6ep.wav users\5jghkoaofdp\music\onvmabx84l5xkpsb6ep.wav c:\ c:\users\5jghkoaofdp\music\onvmabx84l5xkpsb6ep.wav wav File users\5jghkoaofdp\music\onvmabx84l5xkpsb6ep.encrypted.wav users\5jghkoaofdp\music\onvmabx84l5xkpsb6ep.encrypted.wav c:\ c:\users\5jghkoaofdp\music\onvmabx84l5xkpsb6ep.encrypted.wav wav File users\5jghkoaofdp\music\qz9eopb-.mp3 users\5jghkoaofdp\music\qz9eopb-.mp3 c:\ c:\users\5jghkoaofdp\music\qz9eopb-.mp3 mp3 File users\5jghkoaofdp\music\qz9eopb-.encrypted.mp3 users\5jghkoaofdp\music\qz9eopb-.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\qz9eopb-.encrypted.mp3 mp3 File users\5jghkoaofdp\music\sy4u8t-k4v-tx.mp3 users\5jghkoaofdp\music\sy4u8t-k4v-tx.mp3 c:\ c:\users\5jghkoaofdp\music\sy4u8t-k4v-tx.mp3 mp3 File users\5jghkoaofdp\music\sy4u8t-k4v-tx.encrypted.mp3 users\5jghkoaofdp\music\sy4u8t-k4v-tx.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\sy4u8t-k4v-tx.encrypted.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\0u --gozcqve1q5p.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\0u --gozcqve1q5p.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\0u --gozcqve1q5p.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\31aunbdcov.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\31aunbdcov.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\31aunbdcov.m4a m4a File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\31aunbdcov.encrypted.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\31aunbdcov.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\31aunbdcov.encrypted.m4a m4a File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\b3itwwocny-dv_k.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\b3itwwocny-dv_k.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\b3itwwocny-dv_k.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\b3itwwocny-dv_k.encrypted.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\b3itwwocny-dv_k.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\b3itwwocny-dv_k.encrypted.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\beifi.encrypted.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\beifi.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\beifi.encrypted.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\g1tp7xrmqup7.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\g1tp7xrmqup7.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\g1tp7xrmqup7.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\iqgbyd1lyt0est.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\iqgbyd1lyt0est.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\iqgbyd1lyt0est.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\iqgbyd1lyt0est.encrypted.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\iqgbyd1lyt0est.encrypted.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\iqgbyd1lyt0est.encrypted.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\latasn2xd.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\latasn2xd.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\latasn2xd.m4a m4a File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\latasn2xd.encrypted.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\latasn2xd.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\latasn2xd.encrypted.m4a m4a File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n4rwm_lbui1y47ye.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n4rwm_lbui1y47ye.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n4rwm_lbui1y47ye.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n4rwm_lbui1y47ye.encrypted.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n4rwm_lbui1y47ye.encrypted.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n4rwm_lbui1y47ye.encrypted.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\nif5n.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\nif5n.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\nif5n.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\nif5n.encrypted.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\nif5n.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\nif5n.encrypted.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n_v7t6p3k51.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n_v7t6p3k51.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n_v7t6p3k51.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n_v7t6p3k51.encrypted.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n_v7t6p3k51.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\n_v7t6p3k51.encrypted.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\okf4yowsz-apdzsj.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\okf4yowsz-apdzsj.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\okf4yowsz-apdzsj.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\okf4yowsz-apdzsj.encrypted.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\okf4yowsz-apdzsj.encrypted.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\okf4yowsz-apdzsj.encrypted.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\qkmezet2rw9j4.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\qkmezet2rw9j4.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\qkmezet2rw9j4.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\qkmezet2rw9j4.encrypted.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\qkmezet2rw9j4.encrypted.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\qkmezet2rw9j4.encrypted.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.encrypted.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\v5iko1.encrypted.mp3 mp3 MD5 6b0977b640f54f2148b33ea9c686360e SHA1 04a0d9eb686a127bf5b91c02b0ff84b9f76f2345 SHA256 1c361912ae72195495356177a335be9ac6cb93bd68206c05460a5d588f49c494 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vg92tma h58wct.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vg92tma h58wct.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vg92tma h58wct.m4a m4a File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vg92tma h58wct.encrypted.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vg92tma h58wct.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vg92tma h58wct.encrypted.m4a m4a File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vubvaj.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vubvaj.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vubvaj.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vubvaj.encrypted.mp3 users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vubvaj.encrypted.mp3 c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\vubvaj.encrypted.mp3 mp3 File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\wn2d1y8y7f1tg2r.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\wn2d1y8y7f1tg2r.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\wn2d1y8y7f1tg2r.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\wn2d1y8y7f1tg2r.encrypted.wav users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\wn2d1y8y7f1tg2r.encrypted.wav c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\wn2d1y8y7f1tg2r.encrypted.wav wav File users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\zcljlew5ko3qlsrl.m4a users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\zcljlew5ko3qlsrl.m4a c:\ c:\users\5jghkoaofdp\music\ygqpk-ymjwgakf7q\zcljlew5ko3qlsrl.m4a m4a File users\5jghkoaofdp\music\yo5yetxnv.m4a users\5jghkoaofdp\music\yo5yetxnv.m4a c:\ c:\users\5jghkoaofdp\music\yo5yetxnv.m4a m4a File users\5jghkoaofdp\music\yo5yetxnv.encrypted.m4a users\5jghkoaofdp\music\yo5yetxnv.encrypted.m4a c:\ c:\users\5jghkoaofdp\music\yo5yetxnv.encrypted.m4a m4a File users\5jghkoaofdp\ntuser.dat users\5jghkoaofdp\ntuser.dat c:\ c:\users\5jghkoaofdp\ntuser.dat dat File users\5jghkoaofdp\pictures\1kmvsodijkfcpkcm.bmp users\5jghkoaofdp\pictures\1kmvsodijkfcpkcm.bmp c:\ c:\users\5jghkoaofdp\pictures\1kmvsodijkfcpkcm.bmp bmp File users\5jghkoaofdp\pictures\1kmvsodijkfcpkcm.encrypted.bmp users\5jghkoaofdp\pictures\1kmvsodijkfcpkcm.encrypted.bmp c:\ c:\users\5jghkoaofdp\pictures\1kmvsodijkfcpkcm.encrypted.bmp bmp File users\5jghkoaofdp\pictures\desktop.ini users\5jghkoaofdp\pictures\desktop.ini c:\ c:\users\5jghkoaofdp\pictures\desktop.ini ini File users\5jghkoaofdp\pictures\hz2w\k_yns1.jpg users\5jghkoaofdp\pictures\hz2w\k_yns1.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\k_yns1.jpg jpg File users\5jghkoaofdp\pictures\hz2w\k_yns1.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\k_yns1.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\k_yns1.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\laaxefbmzbfaqo.bmp users\5jghkoaofdp\pictures\hz2w\laaxefbmzbfaqo.bmp c:\ c:\users\5jghkoaofdp\pictures\hz2w\laaxefbmzbfaqo.bmp bmp File users\5jghkoaofdp\pictures\hz2w\laaxefbmzbfaqo.encrypted.bmp users\5jghkoaofdp\pictures\hz2w\laaxefbmzbfaqo.encrypted.bmp c:\ c:\users\5jghkoaofdp\pictures\hz2w\laaxefbmzbfaqo.encrypted.bmp bmp File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\1nojs0zz_yk9vps.jpg users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\1nojs0zz_yk9vps.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\1nojs0zz_yk9vps.jpg jpg File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\1nojs0zz_yk9vps.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\1nojs0zz_yk9vps.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\1nojs0zz_yk9vps.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\a3r9p4wd zju.bmp users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\a3r9p4wd zju.bmp c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\a3r9p4wd zju.bmp bmp File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\a3r9p4wd zju.encrypted.bmp users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\a3r9p4wd zju.encrypted.bmp c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\a3r9p4wd zju.encrypted.bmp bmp File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\livz.png users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\livz.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\livz.png png File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\livz.encrypted.png users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\livz.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\livz.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\lm78sadyfv9pbzfmculk.jpg users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\lm78sadyfv9pbzfmculk.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\nqgbwm2x9ugi8jmjw700\lm78sadyfv9pbzfmculk.jpg jpg File users\5jghkoaofdp\pictures\hz2w\r69n iygd.png users\5jghkoaofdp\pictures\hz2w\r69n iygd.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\r69n iygd.png png File users\5jghkoaofdp\pictures\hz2w\r69n iygd.encrypted.png users\5jghkoaofdp\pictures\hz2w\r69n iygd.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\r69n iygd.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\6t jevkxg-.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\6t jevkxg-.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\6t jevkxg-.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\6t jevkxg-.encrypted.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\6t jevkxg-.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\6t jevkxg-.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ds65n6miylf7v.bmp users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ds65n6miylf7v.bmp c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ds65n6miylf7v.bmp bmp File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ds65n6miylf7v.encrypted.bmp users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ds65n6miylf7v.encrypted.bmp c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ds65n6miylf7v.encrypted.bmp bmp File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\fybdf-gd6andufc.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\fybdf-gd6andufc.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\fybdf-gd6andufc.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\fybdf-gd6andufc.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\fybdf-gd6andufc.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\fybdf-gd6andufc.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.encrypted.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\l6fx8sicimwq0qgomdx1.encrypted.png png MD5 e851eb21c3987b1f349ddb9b857815d3 SHA1 0183755599ab86295e6b2467968acc087fe25cb0 SHA256 7915469719d6373559f2f7efe127f46950ccac1147ab91f2cd6711ed2fed14d0 File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ntfbb.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ntfbb.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ntfbb.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ntfbb.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ntfbb.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\ntfbb.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\4cyf0deu1rr.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\4cyf0deu1rr.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\4cyf0deu1rr.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\4cyf0deu1rr.encrypted.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\4cyf0deu1rr.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\4cyf0deu1rr.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\5wde.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\5wde.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\5wde.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\5wde.encrypted.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\5wde.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\5wde.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\phqa.gif users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\phqa.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\phqa.gif gif File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\phqa.encrypted.gif users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\phqa.encrypted.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\phqa.encrypted.gif gif File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rjsolwmv.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rjsolwmv.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rjsolwmv.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rjsolwmv.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rjsolwmv.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rjsolwmv.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rzezonwn812vn.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rzezonwn812vn.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rzezonwn812vn.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rzezonwn812vn.encrypted.png users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rzezonwn812vn.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\rzezonwn812vn.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\9xwefqxl.gif users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\9xwefqxl.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\9xwefqxl.gif gif File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\9xwefqxl.encrypted.gif users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\9xwefqxl.encrypted.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\9xwefqxl.encrypted.gif gif File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\pyzhbelcbwh1k.encrypted.gif users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\pyzhbelcbwh1k.encrypted.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\wtpvk7ks\pyzhbelcbwh1k.encrypted.gif gif File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\z8a-0v.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\z8a-0v.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\z8a-0v.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\z8a-0v.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\z8a-0v.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\z8a-0v.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\zhbqzgbsvveensq.encrypted.jpg users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\zhbqzgbsvveensq.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\ra1rifpb2\vexyoj31q5uyzq\zhbqzgbsvveensq.encrypted.jpg jpg File users\5jghkoaofdp\pictures\hz2w\tg7zwtiimx.jpg users\5jghkoaofdp\pictures\hz2w\tg7zwtiimx.jpg c:\ c:\users\5jghkoaofdp\pictures\hz2w\tg7zwtiimx.jpg jpg File users\5jghkoaofdp\pictures\hz2w\u1bz6duc.png users\5jghkoaofdp\pictures\hz2w\u1bz6duc.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\u1bz6duc.png png File users\5jghkoaofdp\pictures\hz2w\u1bz6duc.encrypted.png users\5jghkoaofdp\pictures\hz2w\u1bz6duc.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\u1bz6duc.encrypted.png png File users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.gif users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.gif gif File users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.encrypted.gif users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.encrypted.gif c:\ c:\users\5jghkoaofdp\pictures\hz2w\uvzp9c0xe2unmuaj6.encrypted.gif gif MD5 50ecceade9fad61b570f2b31410cad9f SHA1 f73a2f7fd2befe16461d400ae1f9cfeeb40d1ab9 SHA256 04a4b6fb5a0a3be5267c923254c16e87c6342c0e4ae7cae92ff983f19cb29ccf File users\5jghkoaofdp\pictures\hz2w\xun2brrf9i3oygd0.encrypted.png users\5jghkoaofdp\pictures\hz2w\xun2brrf9i3oygd0.encrypted.png c:\ c:\users\5jghkoaofdp\pictures\hz2w\xun2brrf9i3oygd0.encrypted.png png File users\5jghkoaofdp\pictures\pwettxmsacc5.gif users\5jghkoaofdp\pictures\pwettxmsacc5.gif c:\ c:\users\5jghkoaofdp\pictures\pwettxmsacc5.gif gif File users\5jghkoaofdp\pictures\pwettxmsacc5.encrypted.gif users\5jghkoaofdp\pictures\pwettxmsacc5.encrypted.gif c:\ c:\users\5jghkoaofdp\pictures\pwettxmsacc5.encrypted.gif gif File users\5jghkoaofdp\pictures\te2rouvkbps_rbxzkve.jpg users\5jghkoaofdp\pictures\te2rouvkbps_rbxzkve.jpg c:\ c:\users\5jghkoaofdp\pictures\te2rouvkbps_rbxzkve.jpg jpg File users\5jghkoaofdp\pictures\te2rouvkbps_rbxzkve.encrypted.jpg users\5jghkoaofdp\pictures\te2rouvkbps_rbxzkve.encrypted.jpg c:\ c:\users\5jghkoaofdp\pictures\te2rouvkbps_rbxzkve.encrypted.jpg jpg File users\5jghkoaofdp\saved games\desktop.ini users\5jghkoaofdp\saved games\desktop.ini c:\ c:\users\5jghkoaofdp\saved games\desktop.ini ini File users\5jghkoaofdp\videos\aoam uzxxrifkmmjohx.mkv users\5jghkoaofdp\videos\aoam uzxxrifkmmjohx.mkv c:\ c:\users\5jghkoaofdp\videos\aoam uzxxrifkmmjohx.mkv mkv File users\5jghkoaofdp\videos\bdzhqhicch.swf users\5jghkoaofdp\videos\bdzhqhicch.swf c:\ c:\users\5jghkoaofdp\videos\bdzhqhicch.swf swf File users\5jghkoaofdp\videos\bdzhqhicch.encrypted.swf users\5jghkoaofdp\videos\bdzhqhicch.encrypted.swf c:\ c:\users\5jghkoaofdp\videos\bdzhqhicch.encrypted.swf swf File users\5jghkoaofdp\videos\desktop.ini users\5jghkoaofdp\videos\desktop.ini c:\ c:\users\5jghkoaofdp\videos\desktop.ini ini File users\5jghkoaofdp\videos\mmzl\agmab4-chbfvju6a.swf users\5jghkoaofdp\videos\mmzl\agmab4-chbfvju6a.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\agmab4-chbfvju6a.swf swf File users\5jghkoaofdp\videos\mmzl\agmab4-chbfvju6a.encrypted.swf users\5jghkoaofdp\videos\mmzl\agmab4-chbfvju6a.encrypted.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\agmab4-chbfvju6a.encrypted.swf swf File users\5jghkoaofdp\videos\mmzl\jvh1ka9-ojecvl8zufh.mkv users\5jghkoaofdp\videos\mmzl\jvh1ka9-ojecvl8zufh.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\jvh1ka9-ojecvl8zufh.mkv mkv File users\5jghkoaofdp\videos\mmzl\jvh1ka9-ojecvl8zufh.encrypted.mkv users\5jghkoaofdp\videos\mmzl\jvh1ka9-ojecvl8zufh.encrypted.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\jvh1ka9-ojecvl8zufh.encrypted.mkv mkv File users\5jghkoaofdp\videos\mmzl\lrhx1s.swf users\5jghkoaofdp\videos\mmzl\lrhx1s.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\lrhx1s.swf swf File users\5jghkoaofdp\videos\mmzl\lrhx1s.encrypted.swf users\5jghkoaofdp\videos\mmzl\lrhx1s.encrypted.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\lrhx1s.encrypted.swf swf File users\5jghkoaofdp\videos\mmzl\m9y1dibtgn1a.flv users\5jghkoaofdp\videos\mmzl\m9y1dibtgn1a.flv c:\ c:\users\5jghkoaofdp\videos\mmzl\m9y1dibtgn1a.flv flv File users\5jghkoaofdp\videos\mmzl\m9y1dibtgn1a.encrypted.flv users\5jghkoaofdp\videos\mmzl\m9y1dibtgn1a.encrypted.flv c:\ c:\users\5jghkoaofdp\videos\mmzl\m9y1dibtgn1a.encrypted.flv flv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.mkv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.mkv mkv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.encrypted.mkv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.encrypted.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\4_fiu1ihmr5kifysz.encrypted.mkv mkv MD5 3b64c710563c0112cea1fc58433aed8c SHA1 28d90fbbbf35ba141352091a9eb4e3a1e7931980 SHA256 f82ab9e17352b9118db0aa37ee63c3e46f8ff28d08bbafa51b96121f882877b2 File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\e86sw yjgrmaawnvzf.avi users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\e86sw yjgrmaawnvzf.avi c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\e86sw yjgrmaawnvzf.avi avi File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\j7zcuukkldqsujiv8.mkv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\j7zcuukkldqsujiv8.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\j7zcuukkldqsujiv8.mkv mkv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\j7zcuukkldqsujiv8.encrypted.mkv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\j7zcuukkldqsujiv8.encrypted.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\j7zcuukkldqsujiv8.encrypted.mkv mkv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\wujnmkpd-vv.swf users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\wujnmkpd-vv.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\wujnmkpd-vv.swf swf File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\wujnmkpd-vv.encrypted.swf users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\wujnmkpd-vv.encrypted.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\wujnmkpd-vv.encrypted.swf swf File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\yrtyc.flv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\yrtyc.flv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\yrtyc.flv flv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\yrtyc.encrypted.flv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\yrtyc.encrypted.flv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\dlzp3cwleccw90sx\yrtyc.encrypted.flv flv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\leqed7m6.flv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\leqed7m6.flv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\leqed7m6.flv flv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\leqed7m6.encrypted.flv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\leqed7m6.encrypted.flv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\leqed7m6.encrypted.flv flv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\4hsq9w1vnqo8ex.swf users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\4hsq9w1vnqo8ex.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\4hsq9w1vnqo8ex.swf swf File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\4hsq9w1vnqo8ex.encrypted.swf users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\4hsq9w1vnqo8ex.encrypted.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\4hsq9w1vnqo8ex.encrypted.swf swf File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\eyitn_i6uxhp.mp4 users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\eyitn_i6uxhp.mp4 c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\eyitn_i6uxhp.mp4 mp4 File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\eyitn_i6uxhp.encrypted.mp4 users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\eyitn_i6uxhp.encrypted.mp4 c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\eyitn_i6uxhp.encrypted.mp4 mp4 File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\hvhtrrp5njjnr.mkv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\hvhtrrp5njjnr.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\hvhtrrp5njjnr.mkv mkv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\hvhtrrp5njjnr.encrypted.mkv users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\hvhtrrp5njjnr.encrypted.mkv c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\hvhtrrp5njjnr.encrypted.mkv mkv File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\q4ys4dcnc7h4g.mp4 users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\q4ys4dcnc7h4g.mp4 c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\q4ys4dcnc7h4g.mp4 mp4 File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\q4ys4dcnc7h4g.encrypted.mp4 users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\q4ys4dcnc7h4g.encrypted.mp4 c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\ptb8leiybaedvwd-eii\q4ys4dcnc7h4g.encrypted.mp4 mp4 File users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\pu_on 1.swf users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\pu_on 1.swf c:\ c:\users\5jghkoaofdp\videos\mmzl\pegwegazbvwtu3n0gz1z\y8vnmyj1sxkqvr5jsjvf\pu_on 1.swf swf File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 MD5 ed31cbe057cdf23178c1f2ba56935bb2 SHA1 d59dafa8efb71f884ba2d45e81b578840146ddca SHA256 ca7c6bc32e528080123c9f9b5f789ea602e26191d9665e8c671498cc18e902dd WinRegistryKey Control Panel\Mouse HKEY_CURRENT_USER SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons SwapMouseButtons WinRegistryKey Software\AutoIt v3\AutoIt HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE EnableLinkedConnections WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU HKEY_CURRENT_USER WinRegistryKey HKEY_USERS SocketAddress blockchain.info 443 NetworkConnection HTTP blockchain.info 443 URI blockchain.info/tobtc?currency=USD&value=1500 Contains URI None File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File STD_OUTPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File progra~1\common~1\3123635631 progra~1\common~1\3123635631 c:\ c:\progra~1\common~1\3123635631 MD5 a54f0041a9e15b050f25c463f1db7449 SHA1 d9be6524a5f5047db5866813acf3277892a7a30a SHA256 ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File progra~1\common~1\3123635631 progra~1\common~1\3123635631 c:\ c:\progra~1\common~1\3123635631 File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File progra~1\common~1\3123635631 progra~1\common~1\3123635631 c:\ c:\progra~1\common~1\3123635631 File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File progra~1\common~1\3123635631 progra~1\common~1\3123635631 c:\ c:\progra~1\common~1\3123635631 File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File progra~1\common~1\3123635631 progra~1\common~1\3123635631 c:\ c:\progra~1\common~1\3123635631 File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File progra~1\common~1\3123635631 progra~1\common~1\3123635631 c:\ c:\progra~1\common~1\3123635631 File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File progra~1\common~1\log.txt progra~1\common~1\log.txt c:\ c:\progra~1\common~1\log.txt txt File progra~1\common~1\1365363213 progra~1\common~1\1365363213 c:\ c:\progra~1\common~1\1365363213 File users\5jghko~1\desktop\wanacr~1.exe users\5jghko~1\desktop\wanacr~1.exe c:\ c:\users\5jghko~1\desktop\wanacr~1.exe exe File users\5jghkoaofdp\desktop\wanacry6.malware.exe users\5jghkoaofdp\desktop\wanacry6.malware.exe c:\ c:\users\5jghkoaofdp\desktop\wanacry6.malware.exe exe File windows\system32\spp\store\2.0\data.dat windows\system32\spp\store\2.0\data.dat c:\ c:\windows\system32\spp\store\2.0\data.dat dat MD5 ec1abca3d8d1cf4cb5fe6cff5b19930c SHA1 88ae788f97ffe0a67b4665d931a459491a875297 SHA256 047b76c8fc87787b5328077ccf0c68c3682be1d481376b46af55d7790c61c8cf Moved_To File windows\system32\spp\store\2.0\data.dat.bak windows\system32\spp\store\2.0\data.dat.bak c:\ c:\windows\system32\spp\store\2.0\data.dat.bak bak MD5 ec1abca3d8d1cf4cb5fe6cff5b19930c SHA1 88ae788f97ffe0a67b4665d931a459491a875297 SHA256 047b76c8fc87787b5328077ccf0c68c3682be1d481376b46af55d7790c61c8cf Moved_To Moved_From File windows\system32\spp\store\2.0\data.dat.tmp windows\system32\spp\store\2.0\data.dat.tmp c:\ c:\windows\system32\spp\store\2.0\data.dat.tmp tmp MD5 ec1abca3d8d1cf4cb5fe6cff5b19930c SHA1 88ae788f97ffe0a67b4665d931a459491a875297 SHA256 047b76c8fc87787b5328077ccf0c68c3682be1d481376b46af55d7790c61c8cf Moved_From WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-38 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-39 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-40 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-41 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-42 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-43 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-44 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-45 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-46 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-47 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-48 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-49 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-50 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-51 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 INVALID WinRegistryKey 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 INVALID Analyzed Sample #17425 Malware Artifacts 17425 Sample-ID: #17425 Job-ID: #1664 This sample was analyzed by VMRay Analyzer 2.1.0 on a Windows 8.1 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #17425 Submission-ID: #17427 C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe exe MD5 d78bfdd6242361aa09a0e730ae9dc49a SHA1 5e301e5ee7ce8840bf9003df1f3d5cf3679f5753 SHA256 bc885443e29b027d5f307e2f3d36e70ba650d608604aeeea7e748c6dc948a8a6 Opened_By Metadata of Analysis for Job-ID #1664 Timeout True x86 64-bit 6.3.9600.16404 (fd3d00d2-8edc-4527-bb92-2bcc0509d285) win8.1_64 True 319.987 Windows 8.1 This is a property collection for additional information of VMRay analysis VMRay Analyzer Anti Analysis VTI rule match with VTI rule score 1/5 vmray_detect_debugger_by_api Check via API "IsDebuggerPresent". Try to detect debugger Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve above average number of APIs. Dynamic API usage OS VTI rule match with VTI rule score 1/5 vmray_use_encryption_api Use above average number of encryption APIs. Use encryption API File System VTI rule match with VTI rule score 4/5 vmray_modify_user_files Modify the content of multiple user files. This is an indicator for an encryption attempt. Modify content of user files Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\cmd.exe /C title 4180649|vssadmin.exe Delete Shadows /All /Quiet" starts with hidden window. Create process with hidden window OS VTI rule match with VTI rule score 3/5 vmray_disable_startup_repair Disable startup repair by executing "C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No". Disable system tool Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No" starts with hidden window. Create process with hidden window OS VTI rule match with VTI rule score 3/5 vmray_disable_startup_repair Disable startup repair by executing "C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures". Disable system tool Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures" starts with hidden window. Create process with hidden window File System VTI rule match with VTI rule score 1/5 vmray_modify_windows_dir_by_file Modify "c:\windows\system32\spp\store\2.0\data.dat.tmp". Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_modify_windows_dir_by_file Modify "c:\windows\system32\spp\store\2.0\data.dat.bak". Modify operating system directory File System VTI rule match with VTI rule score 1/5 vmray_modify_windows_dir_by_file Modify "c:\windows\system32\spp\store\2.0\data.dat". Modify operating system directory