wannacry | hxxp://youtube[.]com

Resubmissions

24-03-2024 19:35

240324-yaq5ssad6y 10

24-03-2024 19:29

240324-x69rcaac9y 10

24-03-2024 19:26

240324-x5lywsac7v 8

Analysis

max time kernel
488s
max time network
494s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://youtube.com

Score

10^/10

wannacry discovery evasion persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2588 netsh.exe
5140 netsh.exe

pid	process
2588	netsh.exe
5140	netsh.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

idafree84_windows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe	idafree84_windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\CWDIllegalInDllSearch = "4294967295"	idafree84_windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\MitigationOptions = "256"	idafree84_windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\MitigationOptions = "256"	idafree84_windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\DisableExceptionChainValidation = "0"	idafree84_windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\DisableExceptionChainValidation = "0"	idafree84_windows.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe	idafree84_windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\CWDIllegalInDllSearch = "4294967295"	idafree84_windows.exe

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD25A8.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD25CE.tmp	WannaCry.EXE

Executes dropped EXE 18 IoCs

Processes:

ida64.exetaskdl.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskse.exe@[email protected]taskdl.exetaskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
3792	ida64.exe
5804	taskdl.exe
4920	taskdl.exe
5880	@[email protected]
5256	@[email protected]
2364	taskhsvc.exe
5816	taskse.exe
4608	@[email protected]
3368	taskdl.exe
4036	taskdl.exe
4968	taskse.exe
1388	@[email protected]
4796	taskse.exe
5368	@[email protected]
3984	taskdl.exe
3768	taskse.exe
2624	@[email protected]
5204	taskdl.exe

Loads dropped DLL 64 IoCs

Processes:

idafree84_windows.exeida64.exetaskhsvc.exe

pid	process
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
3792	ida64.exe
2364	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2356 icacls.exe

pid	process
2356	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\akgdoowspmymzqz517 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

148 camo.githubusercontent.com
149 camo.githubusercontent.com
177 raw.githubusercontent.com
178 raw.githubusercontent.com

flow	ioc
148	camo.githubusercontent.com
149	camo.githubusercontent.com
177	raw.githubusercontent.com
178	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]@[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

idafree84_windows.exe

description	ioc	process
File created	C:\Program Files\IDA Freeware 8.4\til\pc\bcb5win.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\win64unx.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\ida64.int	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc2.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\pc\mssdk.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\go_std_abi0.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\gnuunx64.til	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\qwingraph.exe	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\go_std_abi0.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\qt.conf	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\vcseh.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\plugins\win32_user64.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\themes\_base\theme.css	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\plugins\imageformats\qsvg.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\Qt5Svg.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc64u.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\libdwarf.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\libdwarf.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\vc64_14.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\pc\ntapi64_win7.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\vc32mfce.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\idc\bds.idc	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\themes\dark\icons\expand.png	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\cfg\idagui.cfg	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\pc\vc10.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\ida64.exe	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\vc32mfc.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\macosx64.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\pc\vc6win.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\picture_decoder.exe	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc2d.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\Qt5Gui.dll	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc64.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\pe.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\vc32rtf.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\plugins\styles\qwindowsvistastyle.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\elf64.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\Uninstall IDA Freeware 8.4.lnk	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\tclA72E.tmp	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\plugins\eh_parse64.dll	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\elf64.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\plugins\iconengines\qsvgicon.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\til\pc\bc31.til	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\til\pc\w16dos.til	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\uninstall.exe	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\objc64.til	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\iclapp64.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\pe64.sig	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\ida.hlp	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\til\pc\bcb5win.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\til\pc\mssdk64_win7.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\plugins\tds64.dll	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\sig\pc\mssdk64.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\til\pc\w32dos.til	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\idahelp.chm	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\idc\idc.idc	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\bcb5rt.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\cfg\exceptions.cfg	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\cfg\hexrays.cfg	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\themes\darcula\theme.css	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\themes\default\theme.css	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\ids\idsnames	idafree84_windows.exe
File created	C:\Program Files\IDA Freeware 8.4\sig\pc\vc64mfc.sig	idafree84_windows.exe
File opened for modification	C:\Program Files\IDA Freeware 8.4\til\macosx64.til	idafree84_windows.exe

Drops file in Windows directory 2 IoCs

Processes:

mspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

idafree84_windows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	idafree84_windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	idafree84_windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	idafree84_windows.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

idafree84_windows.exeida64.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDApro.Database64\shell\open\command\ = "\"C:\\Program Files\\IDA Freeware 8.4\\ida64.exe\" \"%1\""	idafree84_windows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.i64\ = "IDApro.Database64"	idafree84_windows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGraph.File\DefaultIcon\ = "C:\\Program Files\\IDA Freeware 8.4\\wingraph32.exe,0"	idafree84_windows.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\NodeSlot = "4"	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGraph.File	idafree84_windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGraph.File\DefaultIcon	idafree84_windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDApro.Database64	idafree84_windows.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinGraph.File\shell\open\command	idafree84_windows.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	ida64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDApro.Database64\DefaultIcon\ = "C:\\Program Files\\IDA Freeware 8.4\\ida64.exe,0"	idafree84_windows.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = 00000000ffffffff	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e007180000000000000000000006abe817b2bce7646a29eeb907a5126c50000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 8c003100000000007858d69c110050524f4752417e310000740009000400efbe874fdb497858d69c2e0000003f0000000000010000000000000000004a0000000000a431e400500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5788 reg.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ida64.exeexplorer.exe

pid process

3792 ida64.exe
4708 explorer.exe

pid	process
5788	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeidafree84_windows.exetaskmgr.exetaskhsvc.exemspaint.exemspaint.exe

pid	process
3304	msedge.exe
3304	msedge.exe
1908	msedge.exe
1908	msedge.exe
3776	identity_helper.exe
3776	identity_helper.exe
6048	msedge.exe
6048	msedge.exe
3352	msedge.exe
3352	msedge.exe
5144	msedge.exe
5144	msedge.exe
5144	msedge.exe
5144	msedge.exe
3988	msedge.exe
3988	msedge.exe
1180	idafree84_windows.exe
1180	idafree84_windows.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
2364	taskhsvc.exe
2364	taskhsvc.exe
2364	taskhsvc.exe
2364	taskhsvc.exe
1360	mspaint.exe
1360	mspaint.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
2364	taskhsvc.exe
2364	taskhsvc.exe
5892	taskmgr.exe
5892	taskmgr.exe
2216	mspaint.exe
2216	mspaint.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

ida64.exetaskmgr.exeexplorer.exe

pid process

3792 ida64.exe
5892 taskmgr.exe
4708 explorer.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

ida64.exetaskmgr.exetaskse.exeWMIC.exevssvc.exetaskse.exetaskse.exeexplorer.exetaskse.exe

description	pid	process
Token: SeDebugPrivilege	3792	ida64.exe
Token: SeDebugPrivilege	5892	taskmgr.exe
Token: SeSystemProfilePrivilege	5892	taskmgr.exe
Token: SeCreateGlobalPrivilege	5892	taskmgr.exe
Token: SeTcbPrivilege	5816	taskse.exe
Token: SeTcbPrivilege	5816	taskse.exe
Token: SeIncreaseQuotaPrivilege	5848	WMIC.exe
Token: SeSecurityPrivilege	5848	WMIC.exe
Token: SeTakeOwnershipPrivilege	5848	WMIC.exe
Token: SeLoadDriverPrivilege	5848	WMIC.exe
Token: SeSystemProfilePrivilege	5848	WMIC.exe
Token: SeSystemtimePrivilege	5848	WMIC.exe
Token: SeProfSingleProcessPrivilege	5848	WMIC.exe
Token: SeIncBasePriorityPrivilege	5848	WMIC.exe
Token: SeCreatePagefilePrivilege	5848	WMIC.exe
Token: SeBackupPrivilege	5848	WMIC.exe
Token: SeRestorePrivilege	5848	WMIC.exe
Token: SeShutdownPrivilege	5848	WMIC.exe
Token: SeDebugPrivilege	5848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5848	WMIC.exe
Token: SeRemoteShutdownPrivilege	5848	WMIC.exe
Token: SeUndockPrivilege	5848	WMIC.exe
Token: SeManageVolumePrivilege	5848	WMIC.exe
Token: 33	5848	WMIC.exe
Token: 34	5848	WMIC.exe
Token: 35	5848	WMIC.exe
Token: 36	5848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5848	WMIC.exe
Token: SeSecurityPrivilege	5848	WMIC.exe
Token: SeTakeOwnershipPrivilege	5848	WMIC.exe
Token: SeLoadDriverPrivilege	5848	WMIC.exe
Token: SeSystemProfilePrivilege	5848	WMIC.exe
Token: SeSystemtimePrivilege	5848	WMIC.exe
Token: SeProfSingleProcessPrivilege	5848	WMIC.exe
Token: SeIncBasePriorityPrivilege	5848	WMIC.exe
Token: SeCreatePagefilePrivilege	5848	WMIC.exe
Token: SeBackupPrivilege	5848	WMIC.exe
Token: SeRestorePrivilege	5848	WMIC.exe
Token: SeShutdownPrivilege	5848	WMIC.exe
Token: SeDebugPrivilege	5848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5848	WMIC.exe
Token: SeRemoteShutdownPrivilege	5848	WMIC.exe
Token: SeUndockPrivilege	5848	WMIC.exe
Token: SeManageVolumePrivilege	5848	WMIC.exe
Token: 33	5848	WMIC.exe
Token: 34	5848	WMIC.exe
Token: 35	5848	WMIC.exe
Token: 36	5848	WMIC.exe
Token: SeBackupPrivilege	5900	vssvc.exe
Token: SeRestorePrivilege	5900	vssvc.exe
Token: SeAuditPrivilege	5900	vssvc.exe
Token: SeTcbPrivilege	4968	taskse.exe
Token: SeTcbPrivilege	4968	taskse.exe
Token: SeTcbPrivilege	4796	taskse.exe
Token: SeTcbPrivilege	4796	taskse.exe
Token: SeShutdownPrivilege	4708	explorer.exe
Token: SeCreatePagefilePrivilege	4708	explorer.exe
Token: SeTcbPrivilege	3768	taskse.exe
Token: SeTcbPrivilege	3768	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe@[email protected]

pid	process
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
4608	@[email protected]
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe
5892	taskmgr.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

ida64.exe@[email protected]@[email protected]@[email protected]mspaint.exemspaint.exe@[email protected]@[email protected]@[email protected]

pid	process
3792	ida64.exe
3792	ida64.exe
5256	@[email protected]
5880	@[email protected]
5880	@[email protected]
5256	@[email protected]
4608	@[email protected]
4608	@[email protected]
1360	mspaint.exe
1360	mspaint.exe
1360	mspaint.exe
1360	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
1388	@[email protected]
5368	@[email protected]
5368	@[email protected]
2624	@[email protected]
2624	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exeidafree84_windows.exeWannaCry.EXEcmd.exe

description	pid	process	target process
PID 3924 wrote to memory of 3812	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 3812	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 4856	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 1908	3924	msedge.exe	msedge.exe
PID 3924 wrote to memory of 1908	3924	msedge.exe	msedge.exe
PID 1180 wrote to memory of 2588	1180	idafree84_windows.exe	netsh.exe
PID 1180 wrote to memory of 2588	1180	idafree84_windows.exe	netsh.exe
PID 1180 wrote to memory of 5140	1180	idafree84_windows.exe	netsh.exe
PID 1180 wrote to memory of 5140	1180	idafree84_windows.exe	netsh.exe
PID 3420 wrote to memory of 2036	3420	WannaCry.EXE	attrib.exe
PID 3420 wrote to memory of 2036	3420	WannaCry.EXE	attrib.exe
PID 3420 wrote to memory of 2036	3420	WannaCry.EXE	attrib.exe
PID 3420 wrote to memory of 2356	3420	WannaCry.EXE	icacls.exe
PID 3420 wrote to memory of 2356	3420	WannaCry.EXE	icacls.exe
PID 3420 wrote to memory of 2356	3420	WannaCry.EXE	icacls.exe
PID 3420 wrote to memory of 5804	3420	WannaCry.EXE	taskdl.exe
PID 3420 wrote to memory of 5804	3420	WannaCry.EXE	taskdl.exe
PID 3420 wrote to memory of 5804	3420	WannaCry.EXE	taskdl.exe
PID 3420 wrote to memory of 5508	3420	WannaCry.EXE	cmd.exe
PID 3420 wrote to memory of 5508	3420	WannaCry.EXE	cmd.exe
PID 3420 wrote to memory of 5508	3420	WannaCry.EXE	cmd.exe
PID 5508 wrote to memory of 2108	5508	cmd.exe	cscript.exe
PID 5508 wrote to memory of 2108	5508	cmd.exe	cscript.exe
PID 5508 wrote to memory of 2108	5508	cmd.exe	cscript.exe
PID 3420 wrote to memory of 1804	3420	WannaCry.EXE	attrib.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2036 attrib.exe
1804 attrib.exe

pid	process
2036	attrib.exe
1804	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com
1⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d13046f8,0x7ff9d1304708,0x7ff9d1304718
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17142316116035410806,5192612307888071038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17142316116035410806,5192612307888071038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d13046f8,0x7ff9d1304708,0x7ff9d1304718
1⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
1⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
1⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
1⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
1⤵
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
1⤵
PID:1860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
1⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
1⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
1⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
1⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 /prefetch:8
1⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
1⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
1⤵
PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
1⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4628 /prefetch:8
1⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6132 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
1⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
1⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
1⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4844 /prefetch:8
1⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
1⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6556 /prefetch:8
1⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
1⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
1⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
1⤵
PID:4504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
1⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 /prefetch:8
1⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
1⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
1⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
1⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
1⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,18191900203768769283,1302812036968555164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7720 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Users\Admin\Downloads\idafree84_windows.exe
"C:\Users\Admin\Downloads\idafree84_windows.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SYSTEM32\netsh.exe
C:\Windows\SYSTEM32\netsh.exe advfirewall firewall show rule "name=\"IDA" Freeware\"
2⤵
- Modifies Windows Firewall
PID:2588

C:\Windows\SYSTEM32\netsh.exe
C:\Windows\SYSTEM32\netsh.exe advfirewall firewall add rule "name=\"IDA" Freeware\" "dir=in" "action=allow" "program=\"C:\Program" Files\IDA Freeware 8.4\ida64.exe\"
2⤵
- Modifies Windows Firewall
PID:5140

C:\Program Files\IDA Freeware 8.4\ida64.exe
"C:\Program Files\IDA Freeware 8.4\ida64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2036

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2356

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 111741711309228.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5508

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:2108

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:1804

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\Desktop\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5880

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:1896

C:\Users\Admin\Desktop\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:1060

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "akgdoowspmymzqz517" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "akgdoowspmymzqz517" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:5788

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3368

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5368

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3984

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5892

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:1404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:5436

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5988

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Core.dll

Filesize
5.9MB

MD5
af65b981ef1a3223ea6406b3231525aa

SHA1
1f468eb743b2b461155cfd956d3de332920daa6f

SHA256
d9e3a0b5e5a2cd294dfd68c7c1953659626a7ece4a5cf302818d0e0617af6c19

SHA512
9b64290d0070a162fbf43c000693ac1928d7cae543ac42753f640ff840ad9c9cd872afbaaec953a8794b383de7483fb35489c86ae6980a4d188dc3d25dfb645f

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Gui.dll

Filesize
6.6MB

MD5
d4a3c4aa316fa3bb06dbe0418398a130

SHA1
ebe88a4af0d23d1b8c0d9a0b27069404d9d98781

SHA256
02ea8df01224763e7cb71ec50801cf8dddf40b25eb7d52552e71adf7d6ceb529

SHA512
a28441dd1abeae970e2beb74b9b363d274eaffd630ddd1573574c47f5d5b317d870d6efd02a2313e4a1c1c7c8eaee0cbb036e2587a1929391fc1935efe7c0992

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Gui.dll

Filesize
3.4MB

MD5
94caca3a996b51f0cafbe0083d8c0a4a

SHA1
43452678f6f0abc02816ab16961c55b199710768

SHA256
31c79a8ebbfcd5c20ec19ede957fd2e7285acb977afef84b6d42de0cf78a6ae8

SHA512
fc92d069c158eb9984138540e1be5d0fa84c105109301ad11858e9e1e144b7b5ad3cf7912f66c04a59b3bb442cc60bf6c4f9dea0ee67ab93aff7077ed5620f8f

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Gui.dll

Filesize
3.3MB

MD5
ca5c94d52bffc3abe768e788a72e9314

SHA1
423bbbde2ca477f2a9c22d100af048556b55e486

SHA256
445c39af2a647b4318d8a796d73d774b787d28131043b5cbfc58c09e56e0ce6d

SHA512
f14d1742eb4ff21cd1f3b4e809590f7d668892a76a12ed03868106aa4366127eab45e84e65bb0f33dd32373e2dc74b8878ae3bd2b67131b303dfa7980bca0500

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5PrintSupport.dll

Filesize
309KB

MD5
0071c8b417763bcd06b05a68be8f0cc7

SHA1
3dadbbf5be4799d2ad83bdd3d556178300953216

SHA256
72527a335ce5c52d687b27201a56b5136e1b65fe8101000e3a8dd01c7a9ba077

SHA512
d420005f0807adb69d4582f01e5902181fe4ee61fbab1f10ba300f1f489ea820b6347549c413b064bb3143a74b89f49d3249c2b7a644faa12479b60387d7806c

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Svg.dll

Filesize
324KB

MD5
e32684e01838b69a94136384ec408e0d

SHA1
5245c0fe994ef7a8c34fc9ddaa6464b7aee1e8bc

SHA256
67d8dba0e845a3b331ef50d2d83c210a0f8ad3399e55b2b1b61e7b0fa2d28dae

SHA512
058a90b407a8d15344b45d1560ed69b7baa468bb42944b0a9cfbbd09f89b57c14cd619f47b32a2c00197470425424b202711dbc2745866a644aba2bf40d051c0

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Widgets.dll

Filesize
4.2MB

MD5
b6643ebdec3cd874331c8781de2cc731

SHA1
625e49a4b074d8a8548f12be9407f5298fa61e75

SHA256
161bfb0f15b663b48f75b91d93d8bc1f6292c7b71ee3bf43426891d43af22f38

SHA512
60e90a9b2a23ae113d75b2001c4cb641b401e37853af37057e2133fd5d89a65a286864f7a24054d0ecbb83009ae7b82c03da1ab336bea1f97acf04ae4414108c

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Widgets.dll

Filesize
3.8MB

MD5
e6873b3413da20e47b7b82c7bb205024

SHA1
1d4184635cbd44f19b3104461ea6372a3e9eed23

SHA256
a67564b5247ca3a0b178145b24b5b7bf23f0bb5ce62aa5904dc3b5ac4f7b990b

SHA512
3b907bcf600106f227bdc7aa1dcdae0b5fd9f56b13446e9b87ed2c3c721cccb29d6c643744854f172c85fe84b398e955de3c92df2449196075f09589e0c1d4f6

Download Submit
C:\Program Files\IDA Freeware 8.4\Qt5Widgets.dll

Filesize
3.7MB

MD5
6f3c7a55ca7e5024fd49799d0740f118

SHA1
3c050684c12319880d7c195c29b5e675ac61514c

SHA256
4e80b5b60f8b8543c6cd1f3769030c1a365016c40f78e9311defe562f135f275

SHA512
68ee0d599c2f51edf0918db9851c0fda63fd252cc737297f1d82a9ef32d675b21b6696d3330ac962dcf48ecd040bb2296c4427fab7b4b19f72e99ee16dcc006a

Download Submit
C:\Program Files\IDA Freeware 8.4\cfg\exceptions.cfg

Filesize
15KB

MD5
b5a5da214ecc8c99731891d0578422c2

SHA1
fcc10f731f88c83cdbb48a1f74e0697270634609

SHA256
095a9959453b5aa6139f786aed1ec6c8676b357421fb293fa4481267a65242d6

SHA512
84ae27b2c404bb428bbd532eea7cd2a485730eb26b8e0ec8f345a6b2bf541d9efbf61251f96f73514fcba6413630aad616b5a76ec6ceb3d3c97090de8fd92b11

Download Submit
C:\Program Files\IDA Freeware 8.4\cfg\golang.cfg

Filesize
1KB

MD5
898540748ae58a0abecace6bea231487

SHA1
e66a8e3b2d329def51499442d00ff20f06636a59

SHA256
e360af6b8da6c32186d9918fe962da681f6952d75832b5e37148e57ad27d66ba

SHA512
c5f85332b42343e4c6a774eb46818daf06edf241bf23f9a226ebfaa7fe8a39d62860e589e958da55508033c1e66a7d089f374c2aeb911ca31d16d1dfb45920b9

Download Submit
C:\Program Files\IDA Freeware 8.4\cfg\hexrays.cfg

Filesize
18KB

MD5
b98594e407119672630a535c919bc54e

SHA1
0f9bad58ee7072f78f3376cfd19584ede68902ec

SHA256
494b55b67305f8b2dbba18088eb286fb244a4d2796eae79f3b9bd3360b61d3e0

SHA512
698196411a9e78ebc0b0d4554ed28766e10be8df6e5e41d8c614ee85b9d489dd7654fe4461602ffa232b451b7fc78b1be6393e7b2726bb7c705c66cb7b555fe5

Download Submit
C:\Program Files\IDA Freeware 8.4\cfg\ida.cfg

Filesize
73KB

MD5
b625cbf4d66bc28a036ca27cd8f74e91

SHA1
75efc9caa418fd9239de176a7ba259497049c20b

SHA256
a6f78af367a48f519fe6bc061f3c2bd9a39b2b8292f0eafa2728615bc0459ac3

SHA512
8f52a1203cf948ae84357008839e8c72fcf5bf34325fab610a4beec1371a655247cf0162746083970a3a2b2d312334993c07429864b868f633d38c5c2369ad0b

Download Submit
C:\Program Files\IDA Freeware 8.4\cfg\idagui.cfg

Filesize
73KB

MD5
b728480b698d94fcbd717f66e30c859a

SHA1
55cf565d80530dcf9bed32cac94412eb03d66a2d

SHA256
2f9aade30a97e7114a886b643d3928fedd051edc418cd43f2e2b46cf41dc6efd

SHA512
f97244f7dc9b7eb3435fe7d09896c5d83da988eb36eaf7cf366e1b76d2bf3a62d4001b11171a19844173f566fb40266427ef0ee776e4b406d1d6e197a85e58a7

Download Submit
C:\Program Files\IDA Freeware 8.4\clp64.dll

Filesize
1.0MB

MD5
65807fa497110d0659bf52df1a138036

SHA1
4508a7e1621259550dad6a4f99b72844d54fad80

SHA256
5c5149827d567ad41597921ce6d9ba4bf4b89abd04af1529094ff74c68f7bbc1

SHA512
ba3de631b3e780a0a9ff73701f1cf2a52c4a024fa0f68a2871ba56b38025d56dc14c2cd18ff760c48f4f8068f390bd5fb850b3608fdd17c580b0b59ec53da311

Download Submit
C:\Program Files\IDA Freeware 8.4\ida.hlp

Filesize
997KB

MD5
96f343155005fd34df1a881168f810b0

SHA1
3127bdf37da091580d65e083e1d36da2d9a1212f

SHA256
b8619a56b2684440b2ee6743c6536da04a7ad84199d2f898d41a009d9d76cef1

SHA512
1b7c71e9511856a6c98eb9a02fdff8361f20f440b9b61fdc8a50bc6bb524e3ef27cc3d76b68ce5b5555b14c6537c777bcb4e00ebe950d1fbe5f5822f963230a5

Download Submit
C:\Program Files\IDA Freeware 8.4\ida.ico

Filesize
66KB

MD5
b1edefe3c9be279b79f0811ff2a7ab5b

SHA1
cd09e97721fa94099f9d653fa5444002d032121f

SHA256
e52c2db28a2dc57cf49663ee089f4876d9c668b38151145bf4297568297c4772

SHA512
ad6509cf65ca51d37eea4ca6da3f686048a7e2dfbd62d52df3782c0ee13f0e15098236b8f342a77beef4bb10a788132cbe8b7572afe203dd99a6f69acfedc6c1

Download Submit
C:\Program Files\IDA Freeware 8.4\ida64.dll

Filesize
3.8MB

MD5
3dbb5e8e495640fc1806d030efbc40bb

SHA1
70b5df3a6ba6ea7107ccb22da6c9f12fefa45e56

SHA256
56ec1c00d29b4ccc93e26b8ccc1e24a267fcb75d3d684fc94cd50c691ed178b1

SHA512
805d698b644db24e1238e27daa20a2a6f593adb11bf26fa9d722a9a307e832b44677a3461691ad10eca09023fba47e6a6465031c7dad2767d420a1f9ee3e65cd

Download Submit
C:\Program Files\IDA Freeware 8.4\ida64.exe

Filesize
3.7MB

MD5
cbfb49db16ef270f210c6d940cc19f36

SHA1
d08586d526ee3a006f6053568b2dc3a0464f9182

SHA256
78f1856ec1595ea687a102ece7cef166b674e47cda9dafce3d5b23bd1e99eef9

SHA512
7568fe9efc4ddd626bd2a2a7776243d66c424b0b91414d3595c1bc999a9466217c22063fe4b715c874e847caf59912525aceefad904f0234236739cd6fe52438

Download Submit
C:\Program Files\IDA Freeware 8.4\ida64.exe

Filesize
3.6MB

MD5
aa9e181ed3050218018b66aac4520f61

SHA1
0848298bca9c8fdccda72e46bd248b25e8e3185a

SHA256
39bfe76cc1d10f3e5f07e0e05e15dec96843049af41e73dffbb6b4ddc2940c27

SHA512
36eeb86b52c56ce8f6171b54925b7403c683e7687dec2c80e599ccdcb3478fd6f3ac7a810064ee409634c45d00291c4d27892fa59c6be139ecefc30ccd38a686

Download Submit
C:\Program Files\IDA Freeware 8.4\ida64.exe

Filesize
4.4MB

MD5
952de315a3b1a8d730290a12a20f3e15

SHA1
8e648db75da7574bbe908608e3c36ca10000aa3f

SHA256
f097c381fd0ab539dea496c8874b275731737b289fcd1b3142c8ef89d5355cdd

SHA512
d92428bb9965f77a94c266dd4a1dd4d114d3f4cab97749416779ef844315e04d558d9d0c2e41ef369e597e31912833b108ab904ed49387f60654f936cefb927d

Download Submit
C:\Program Files\IDA Freeware 8.4\ida64.int

Filesize
1.3MB

MD5
e8dceb9031003f600305d15f05745897

SHA1
61cc634fa24beee3b1edc191e2300f843b24f6b2

SHA256
2fcebd5b2cedb7cb41f96280df1d087c5c74ed1382d37ba0f62e2cd9ec8e84db

SHA512
1b8f9bc0f64db8110f00c03a19e08230e96e74d4555dd900731dda5cce9e24fc7313b9037c675f92e95d75277cf905a1c7d322edb7d5a83dcf5618ac72933448

Download Submit
C:\Program Files\IDA Freeware 8.4\idahelp.chm

Filesize
676KB

MD5
73d7ac4c2a8d2235d9091083fb6bedce

SHA1
4f6e870b6280bd2893c310ad1254c0ea44891221

SHA256
3afa977f16f389b2deaf3da6479c1e002742b11887e38421405c313f47088b17

SHA512
a449e3063cbfbbcec4a8189594691674129a7b4f92e3ce2adead00351ec6d9d1d39a0736b766cd3c7459cb6f26710457c0993867165c005bec97704376c2c8fb

Download Submit
C:\Program Files\IDA Freeware 8.4\idc\bds.idc

Filesize
1KB

MD5
adf2707c1776ffba6a48923a41d1dae3

SHA1
4aae34c8d782ace4418fd4b92b9289fce2fb5387

SHA256
784b6288cecd998b396cba5048a9c75fa06982d86ebdb7a7988f7d51e62fc5cb

SHA512
66cbac7ef2515e633b91d62641fc23fba62271cc6fc9412659fecfda934f320759e83a4c983ba1934037246c7e3d15b2e1923dee8a21f2610c4d6f6bc12023cf

Download Submit
C:\Program Files\IDA Freeware 8.4\idc\golang.idc

Filesize
1KB

MD5
7264a8f8bb4adafc524d5d9566cc7913

SHA1
1557589481bb6f7866bdef0f9b8963f4041949ef

SHA256
f5a46d1a64f104522754d9f0a69750330752d41a8d90ad46b0cfbf9a2eb97495

SHA512
5c2835a752e78b9a2848d3e31cb08834d3b8f04b20f6bfce7485274134524baaf8fd5b12f7d5c86b5bc8c81ad63800085a46015c8b8585ffe85c216e3eced8cd

Download Submit
C:\Program Files\IDA Freeware 8.4\idc\idc.idc

Filesize
315KB

MD5
e0b0b37ae499dc3f390d2ee966c36429

SHA1
d99b73385dd4d29c01735bcd837fd758e65f910a

SHA256
61fe5fbb4499ad3b0ab46279cd63e873c00c1d021ecd63ce657f02d53fa8aba8

SHA512
5973d9d04c1ce84305e3282ded953697bf644e9cc36e5e90b3057bec616856d00073aa51a32a02ec3cd3a430c0a6af550519b845767eae6d0fab2e907125fe74

Download Submit
C:\Program Files\IDA Freeware 8.4\ids\idsnames

Filesize
4KB

MD5
1bdd9d9a7191da1296c61a00c769b590

SHA1
77b524b1f31e8593a9674d4029acb246d277daf2

SHA256
46d70cdaa37b223d3183e5f0084201085fb68a3e0c4a4e2995f54bdfb7a338cd

SHA512
7cd79348147e82b499e19fc32c1614db20b41931573c7730a4af9c1b7bef12fdfe0377558a2f623e6b844d9d4993567d556ae1fe53f9fba963dd4af3231a376f

Download Submit
C:\Program Files\IDA Freeware 8.4\ids\win7.zip

Filesize
1.3MB

MD5
217af687cf399699e9e3a46c681513f6

SHA1
50bd304b07afe02f4735c1128c65175bec576ef0

SHA256
7ab3868b91c6d71db3905db13f1f8a93f85af14ef33ecace2fec989e39c6ad51

SHA512
72c5f9a00026c106eddfcd7b0b63961e1a99b301406f2d435ac42aa3c74b50e45ccfba1691dba6d2c5aa655c29b2a061a081f253e0bc36ad7d7c9260a37697e5

Download Submit
C:\Program Files\IDA Freeware 8.4\libdwarf.dll

Filesize
276KB

MD5
c52f1c57c12424bf36b9a5922653d92f

SHA1
90b6ff23cf50ea271d0e26deb8f32fae0684d00d

SHA256
50df0a2c54670fc0a803035cb4a2b25d422e58cc725ff7aecc4683459df7a696

SHA512
0c7295301d8c155afd23a3d137c62664ceb75e10bb4e2952784f22b02f7cdc79150d8201566d4995b0b4c3eb341a9ff321285011cef703d52877acbac0493013

Download Submit
C:\Program Files\IDA Freeware 8.4\license.txt

Filesize
18KB

MD5
df5e2be4386b169b08d1ac3389b2b5e0

SHA1
f7e14267007726cbc57f681ed862ea5a586c417f

SHA256
dbdcefa857b851eca2ad05ad6f7f871ecaabd35c7af98ed052307f0ddeb87e6a

SHA512
37d8463ce6cd19e91f02f7d9ab3c1f3b9ecad428117b0330d3b88aa9a6aff67b260d76f9bd5e64202816baf0d5650b2ff32712addbecdaee8b476dc20f92ab3d

Download Submit
C:\Program Files\IDA Freeware 8.4\loaders\elf64.dll

Filesize
397KB

MD5
db65e7735786a9dea756d976ee680f8a

SHA1
955c0d9d5360ad6382b27b3c871efe688da16657

SHA256
1281161a60f180e04a17e63b008db615d533b5322139b964a9944d7d76502d4d

SHA512
8c7cce31bd955b69895d717ba8354ecd861ddfa38c927733971064845bbcee2ed0c44474d7b1b162a3fb12fd7c723d50ce5af44ec20923836dbd73a648a3c6de

Download Submit
C:\Program Files\IDA Freeware 8.4\loaders\macho64.dll

Filesize
291KB

MD5
ff88b998c4ac722cc37dd562db5f54ca

SHA1
d88a9a13f842c08f3e6f6cd2b991b25bf7d44f23

SHA256
8deefacdca596711df448c2a9ec6b5dd3f8e74381e1de7484e4219232437e349

SHA512
e7e8dc9bf852abcf488d8e48e2d91c13b8cc6a768856d1bdab74701ce42b3d46bf193dcc01fa2de2fbb1276eed991441ba8501a4e2fd098534f5f729f7b442ae

Download Submit
C:\Program Files\IDA Freeware 8.4\loaders\pe64.dll

Filesize
182KB

MD5
fe9e929e0e8f62773b9d3a3960a0e04f

SHA1
6d92f8057c0fd2ffdaab1488f637f1797af3a391

SHA256
982078cc6a0ec98464b9ddb3ed697bd44e26607bcdeccb3a6b40e2f2d3f54275

SHA512
f14f0d12aec76668d9b8bc02c9395270729fb7e100e316e7f5211e95eca18755c8ba91895c60aab038664bfc483cab6b252f95c90645a887e6da5f936cec058a

Download Submit
C:\Program Files\IDA Freeware 8.4\picture_decoder.exe

Filesize
20KB

MD5
e0ff1bc6952de13207cb53fa7a3b4971

SHA1
26e7e2ec51174ab9573c53ad81245042c69087cb

SHA256
7556d9679ce327b9118f5425f86a490255dce9f7979882a3071732b138da4a14

SHA512
59acd3e64d02439d85245d2bd5622f92fc9d78c6bcc1c282e8b90b8a40ae6eedab175068dcdd6a4658e4762bab503c74aa11b3de41af5b585e6aa3461ceedcd6

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\bdescr64.dll

Filesize
20KB

MD5
8d8ea1d2ab0c6cc789304bbfa881a134

SHA1
f4c833547fb9ae9b401e02e744324c935bb41f9c

SHA256
f7151501fe135c5376e15d650b8c5dd67aaab8a564555c2012e6190576c266e4

SHA512
9a920091bebb9da683cbebf6126a1cfc2868eb3ee41eebd6e34346d4a35e5976febd451a8d7040a75677f7d9dbaac05dd5fd97b8286648631c6c9dbbd63079d3

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\dbg64.dll

Filesize
64KB

MD5
5a3e83bba0be4f4c945ab94177f2ce92

SHA1
10dea10c42455395fe33f8c9878d457826929dbe

SHA256
e929446499ae4ac3c52023ec3a24d74776ab60943c0b5ccd1966653abec02a5f

SHA512
2b23cc5f42f3bd946b4d9d5a6ab69eeeb379ee006d54d3037ce21a624b66af07f5bbd03b904d68b19c40e14c0aa4c5f9fc33e47a00413c5d82129a9f03554424

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\dwarf64.dll

Filesize
552KB

MD5
50909e736f1eda91490c9e76e22b165d

SHA1
f41b9848ef850b9ffb2b6028a514ab8d29ab985a

SHA256
a7db1b614932913029b4446432929538c46e08abaa6865d1e7e745bb0ba87659

SHA512
78cf7e255141475d96d8cdf6bf871e4567294434c360e6a4581a1f82b8aafc4d530e12a9327bc6dfbf74b1eba83575fad90ea3dbc88218dbb31cd32a1847f59c

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\eh_parse64.dll

Filesize
135KB

MD5
499ef7cc7750a2b55f79c3e900b7c0de

SHA1
d0d9052592583195ed5fdf9d9351ae44f5994a3c

SHA256
263d60d029771ae18c8197b66e711f8e3a7839ce8d9a9cb0008c92866de14eb1

SHA512
311adc47f3d8085a3b736db3d8f4d0a529ea9fa00fcea16546c9ede9e520877502c92489a27f06054c55e6dc3859788eab56bdea88296d086639d35cc51afecd

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\golang64.dll

Filesize
76KB

MD5
a511bd88ed6868f4f203fd008248b6e6

SHA1
f0006bf7446c8b38b25a2dc61dc48acae6ab5215

SHA256
99e4c2ebace2cd5db1060c9e991ef0156f66496fdc39df6c065b70da45993b9c

SHA512
274512b24ecd7e4606942d02857a6d656692e50571c829661379343043c10f8a3fd95459b00b30dd81ec6b457bb67f433a16b62970aec4b61cb6727f96a9c6b5

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\hexx64.dll

Filesize
2.6MB

MD5
7d32d27e23558f7e9190e220a6b10787

SHA1
c9d9a3d71298d543f3e70fe249cc6bdd25d180f8

SHA256
ed3be686f259445fbeaa01b43b7690956fb08ce9a28a943abe2c75b69f283a9d

SHA512
596248c8c099ee191cd9174ff34b394f26c0ce9ef1676ce36803001f6b7f9482e4de9d000e4fd0a56760b35dd3193c4cd3865b1bbfb138a8e7e3e4df9f67e0a7

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\iconengines\qsvgicon.dll

Filesize
35KB

MD5
ed973fa567bc9c2b14ce5be86679f08b

SHA1
31f66ade30fddb3be4bed51bec2358f52acedd03

SHA256
2766cf3d89a52b10b8b3432b3a0b991a9a4b36a127bf00ee7cde995a50c46fb0

SHA512
4392c9d8a941e7a4d99f76a7f4572da43808141e57c3cc09df32740c6cd947e58de74a2db8b2ce9923b11ffa961fa1eb792b830ada5d797ae0ea7e746668fda1

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\imageformats\qsvg.dll

Filesize
25KB

MD5
10be44153141b7f342a98371464e9327

SHA1
6d2b21d0a28382d85a1872ca964c0693a3caff0d

SHA256
9cc9cfb7db2cbd70e199c32456186e7ded266fe30e450207387494101a44a99b

SHA512
05c615b9866c63bf56270e844f83d0feb6483b38bdb1f6ad0b3f56070c6b29a118bf78711f9256d3b1c5ee20292d88332f00b89ec9a6e943ba2c80f108385f63

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\objc64.dll

Filesize
169KB

MD5
48e5b9715bc3704303abc6b0e1fd5c22

SHA1
e8361cbc039671e8ea137ca2109a01f45b8b41d6

SHA256
5f33e90c3bf5dcdc73cae31e3d5494f33420331373dd3dde5bb4955a73c1d0de

SHA512
fdbd65c575c8a57804ce5c9ac7fa52261379f27cd530654030b8995968c4f59a03c9b148faf11d423f9920f882386abab1a14dace0e36185468f7ae096ee15be

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\pdb64.dll

Filesize
432KB

MD5
946f0445efa866f983d125da119e3886

SHA1
d00939afcd163e3b9e3cbd3c0fb529d3f00dda52

SHA256
8f5b6d32db06a7fe95befa475daff764354f4f35006497206e1f47c5ab472103

SHA512
22a2febbd94a0aecc08e0f224ec10b07bea629a893471246d7da1a62da6377fedb0963df1997426d17fbc900f92066a97543d0732009ef17878ad0d68657d936

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\picture_search64.dll

Filesize
38KB

MD5
83d24f9e9b3c9b6b7e2f4e7c78162dad

SHA1
df99c99fbfa0cdd1b7057e6e4c76f550e82daafa

SHA256
2e8cbb322bfc02f97e8e20de3bd7dff365ee5ae13fc77b1baed3a828adb48b0c

SHA512
cd1db5fd4932638f2ea0397cdbe53f6b501cfa971fdcb8cc0c1f610792f932933bcaae0585243f389cf055c1ceb7e0e83eb0304b6384641a123f2894701af398

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\platforms\qwindows.dll

Filesize
1.4MB

MD5
d806c1f1e1ae1f2a4481d15d57035d19

SHA1
bd3b915558020550736946de5c06cb635a706a0c

SHA256
49f621f2e5a8b3907099ec0ecc65f3519a5105b8446d7ac451a0ad7359fb7d22

SHA512
8df43f5da8dbf6961b2f592e2a1fb2b5ee279b44129a6f732e932d00e41eb7ffd083e5013a33860a791a769282011d23e86196e0a85a207b46afe2d7ed07a341

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\plugins.cfg

Filesize
4KB

MD5
f39ae2f72d5b94013c720a7f4e540fbe

SHA1
f5c006874adfcfd0e3862ef616b00af89ab59e37

SHA256
dd60b7374132ef1bdcddbedb06fa992168c351c7112b9cc6e65d8dcfebf08479

SHA512
f73fbef26809784a98989bdf5cb921b0de0a0489a1e65d1872f1fe59323136f4d4b1c04bef8d62f3e20d98634ea095e162e61b10d341d221587184bdfd837359

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\styles\qwindowsvistastyle.dll

Filesize
136KB

MD5
32e85e3303bb5675747fef26fc744089

SHA1
f5b5a1c9834a244ca73368c3ffda1e7aeed1dd04

SHA256
b7bb8a6ce946cd9fd74644aac3152ee8130875201ff174662a7f5fc28d1588ef

SHA512
413c5cec9a198bc43769fa33da7843ebfa4e73d676132d08c8ba076c37477c2c4cdb2cf2ef73905bb805d5348577e61187bae6ef61227c104703f00a193e99f0

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\tds64.dll

Filesize
27KB

MD5
2f3c6088692540d08381da6c2e0f2b8c

SHA1
d8401d7c0783fc615cf35ae1ff8eab75db74a85b

SHA256
616458053c4d8442f45c112ac7472d98ee35e71bbc3f99b2a9d8f4b13d5de55b

SHA512
94245892e5898a756fc2394863731387a70ea5db490b8d926c2459d5b39b8984eaa1f2806df1f7a29cb7fda4d778d1407923c459639c6251673ca05c3fe70731

Download Submit
C:\Program Files\IDA Freeware 8.4\plugins\win32_user64.dll

Filesize
166KB

MD5
da2b4680e29b9acde05b759be8df3d52

SHA1
a7bef83f81aab0d6e4182b1225422983215dc7a0

SHA256
1bc896cf61dfbe14d0de90dee1e3f96733d35ddc7ebf8ec015f497094bb1fa20

SHA512
febf76904fd086f34666491987fcd8812cdeff752f86396232d4e7ba87a91dc213c815b8325b74669f53859cf0be8ae0841b0f1c1e4435715bd1a242b24e459d

Download Submit
C:\Program Files\IDA Freeware 8.4\procs\pc64.dll

Filesize
1.3MB

MD5
9928d89f43c343a5be139367b3f0d534

SHA1
d780de8892bdb0dfd6c83c7cbbff50b1ac9392b5

SHA256
2b88e61d8e5a0b1db0e4a97b5566ee56b8fbdaac095b2714d4540b018963d9ba

SHA512
2c63e7cf68b54d8ad5fa5b2f65310cef3b4ab189d285acfa4c74abf547c83e9440e38ee1f9d2d8dd4effada3c7b893e7a283b8f119cc620675482696cfa8d220

Download Submit
C:\Program Files\IDA Freeware 8.4\qt.conf

Filesize
212B

MD5
b94a2770e638de7b863b8edf907e9b1b

SHA1
7ffa722fc4db9b413f9a2364ce8dfd4afcf678de

SHA256
2b946593df3a65ab7d2bc4d5ab26606a829260de2b2441299e1bbcebc33f4722

SHA512
fad27a4cf44b45e39fa2d03a5fd9ebb8c4119ee00d3d0b58cc712492a3b5d1fac31cfd02480b7e2249eddb9a3cf873c1fa84c531242d00266df69e7dcd15fa44

Download Submit
C:\Program Files\IDA Freeware 8.4\qwingraph.exe

Filesize
473KB

MD5
cc2c84f13a8f3597ab0464accc6c4016

SHA1
d334372315897ae5e0cf4b16bc580b8a0e6d0f4d

SHA256
a7ade5698086c0dc63ce910e8eb324671a5b7182d04827f18781be21b1d6680c

SHA512
7e29ccde3be1312d6cd44f71d06264700e9e231b7ed7b293671cc3b1e231f78e6a30d03b8f7ce423cdeffd7987f478dd860a8e0a90a480b0ca470a9982590f08

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\bcb5rt.sig

Filesize
760KB

MD5
571b3d43ccc68cf427abf4e1718cb834

SHA1
3dbad91dbaa8a09b403da2cc417ba715dd10cb0e

SHA256
9a88fa04d34f6a91f35870996dccd037edf73f6551dea8a00949aa89d1492856

SHA512
82da2706b21a233463d3bfd3cb36345800796af21551616677bb576c1cefcdb798033ffc3ba7776eba41fae27bfd2a3a5fee45985593743ccc53254468e59a73

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\elf.sig

Filesize
175B

MD5
f9ef7d055ab878e6e0d47bf8484af8ae

SHA1
e40f78dbe57f67f2ba9e6977d0ff9bbea087e4f2

SHA256
c017c54f899424f95c73b579fbe223d64aed7f383dedb23d143bcc3e70e2e901

SHA512
30f2e55dbd51d6173511fcc62a533a11bcc0ccad18a19520288e32004672dacfa17b10a34deb46073b9cfddb42294ec1ce6dda8ec13eb4bb8acd1b134e4b2624

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\elf64.sig

Filesize
292B

MD5
5ba8b5793f1be73ebaee566c9828c952

SHA1
2ef221a7dc80f9995be2acf1b0fc05d80f5e827c

SHA256
19960ab3168bd8e19bd44af7e3ba92ed006e086319f40f407d75af49e237e4ed

SHA512
8705cbd1cc427144110f5793144dea7dac849ff86783c7571611646eaa51224ae04285ca4993a91e444043cd9e1ef05af58d9abd5f45e477040876b50ef49596

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\go_std_abi0.sig

Filesize
4.9MB

MD5
50ce6d57951f39048999521cd2ed8991

SHA1
fb3d7ee1a5effba17b6aaa99abfaa46c33594594

SHA256
bea187d7215bfbc2e78d5dcbcb366711920aed21faa852554768964468ff81f1

SHA512
5987c758026e7f0345cf550dacfe75a4313da360698e7e5d903dc14a31a57eee563c3b1719cbebbce31b57c9c2599b6112e215b385e2d972f716914b6d7939ff

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\go_std_abiinternal.sig

Filesize
1.0MB

MD5
b65a2e7d62284fee77a7fbcd65b4e841

SHA1
f3e5d07d7da4c0c24ff601caf161a2f6a04f8df2

SHA256
c05fa9e1fdbd89904ce633efec933892e94776e825ba7a91459df78bc6bafc5e

SHA512
1b1dd242816bc79dda7e03ba1bf638f4ac5459c6244403d9f83a0ebe5068cf9f514add9fffc86245cc5639e2b0762af37d7ee2c8aea762fe6a5625d735f4fabc

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\iclapp64.sig

Filesize
209B

MD5
9e753a100822e348b3c95729837abf0c

SHA1
1a300c2a88122fe95f01f0f1892c7826e576486a

SHA256
e5cee88a05cad4f1772e6e9d30d362ba88e556222f986adaa6c78272368c5b77

SHA512
e267025d1d3c1cf83902453905a474323f90d9ba821777ddfe9684df132ca5c5c1e88741acafa0de86748625ec016c766eae17fcec17ce7f0f871b94cae94a0f

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\macho64.sig

Filesize
294B

MD5
ec7aee01061b384f4b1f4ee39c9b87b5

SHA1
46e7ac1e1d6f4b0d0df5a3354ae62b848910cc2d

SHA256
646102242e21bf3d58b687788e2090c2b6bbc1f5025eeb95b185c724f81e0332

SHA512
8420f85fd54b5778155378477db4e10ce37d310c9e4991090af023c201c0caeefd356567369927b709f606fc912c51b20071d7639d047044ed31646a319a5c09

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\ms64wdk.sig

Filesize
505KB

MD5
8e929dd786b49de3cbbafcda0f1a1450

SHA1
71bf969732c559345be9c6f698cc6d24e7b165d8

SHA256
6ea0b621471d3675d22da42206fd897d6c95af693c6a262376e31b53e93e6356

SHA512
9c2111a07a50c440b13cbbf6f7bb93784c3d845184b3b416fdc4e423b72df1371e91ebee4a769fa91c9926d70e78d4338fbfd28106f9e41ec01f2c73c6d6c876

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc2.sig

Filesize
535B

MD5
d699c676db603eb5ab38db8577be9679

SHA1
8759595eea903594eb978f46c3ee31ae2f9667b8

SHA256
9f5be3dfadc89139c9447d12b25ca7e1e8d318753bded8e954d466699500b021

SHA512
cb7bea4bdb72e746fc5ffe5d85bb37caa2f403aeec546f138ce66ee6be17d2e0746f7bd07fd7f6f51475c8e362ade9d639f3d878619fa1d7c6f7077f2b0e9e58

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc2d.sig

Filesize
1KB

MD5
09ec67b9153e1e4d2ee0484433be75f9

SHA1
4c3c821cf8072dcdfae08a493183db7b3b5c4ac5

SHA256
6e00566af5311c35e93c5f89278519c1afd6508ad2bca0473f4a9e0f44792c12

SHA512
c5bf531f70b4548211d3cee977bc84449a0959c6915c2dec0153d5e1354dc2c78214996f3c85595d551277c948581c84b36be770253d23f70d843f1f33efedee

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc2u.sig

Filesize
508B

MD5
21775ef05bf903f156dc23514494b457

SHA1
179c92f4c224366a36d7a6d5b4d28e3de4e46229

SHA256
0aa228ac89590fd96e4ced1578def8439eed390b9852d1ba5f6c701bcae1535e

SHA512
d96b72045143648e267aab954493356cd79a5e1a8a408459eb8c9e4e5a007175fe0a49c938cbcd720c3bc883e883044126437d46c64dae90529a3536d1f9490a

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc64.sig

Filesize
185B

MD5
de7877722be080e13f58ed4534d6de3a

SHA1
235291be811f55f0fe36a8540b912f46ec847bdb

SHA256
3cbd4645d965e60d589e56335a868aa25e89dfda149fc0105ef56806730b6f10

SHA512
a755ef6cabbf154fc1b3d36b44f383832a4cfa228a0998899962e6798715594226176210d82acf9cd91f455684780be39f0852b8ca9d933741ec948bdc5f2e48

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc64d.sig

Filesize
533B

MD5
447d5ca3fe46301778d9eda0ed8c43d5

SHA1
db552c16d972cebc86e08920e10a2acb0134bfe5

SHA256
6e76be99b59f36d8048483efb64b095590c5c7bd3e753d2f4ba2aac29461bfc1

SHA512
05a21b29299da5dd1a4d060d89e9907ed55db75de75f667228a471fae544981e7d4ef5f66369112ee49bf2c08c3968f242acb93a027bc182016026b41fe8ff62

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\msmfc64u.sig

Filesize
187B

MD5
e22423f726b91e0e1621318222e3dd40

SHA1
13d4c1db150ca7f0bd48b81b7808acbf886194ea

SHA256
8b80af011101e9138a0f785a67b05de2e80a703f9f2d463c25114089ceb55c20

SHA512
89cd7a0ef6afcd52c6ba1fb38a4253e0c9fb179d039de36b2092771cb3b18d25861194c975a3bb1ce66075d9d741187cc4bed6ed38012ac431454b3adc35dedd

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\mssdk64.sig

Filesize
14KB

MD5
cc5df08d76da71a1f79fe55007b30ee3

SHA1
d62c1681ef1577dbfbd4a3f74c78d84b7d1864f9

SHA256
24726d7f5de409e6b6ecedd8070cd01f3806bd5184505d7469186904ed6855ec

SHA512
bd5ff0fc4d6ac0101615ee0eb349215fba8cd2cbaa451784b3f024b337bca97b3755bac6ac92d9e62c171356bd6e6112ffc62e0b28edc1779037d84349cfec21

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\pe.sig

Filesize
9KB

MD5
4131fb5d17ced8d70c1878e172585f1f

SHA1
1311bdc7e13eab4e2ef89ed5fe8dd812d6cd7830

SHA256
714909ae09b1aac3f40bbcfdf01b628e02a6e162019d1ef4a8c1d7ec517a702c

SHA512
92daabbe06cf7245d23b114c1cd3bd84615d2eb4b520d491be5043577492596690b33555ba271d5a3654e5768f0d2f0a1e7dad9185c3de42965ed89baf476b33

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\pe64.sig

Filesize
6KB

MD5
b15e0f165448a172d2914faff4bfe163

SHA1
dea870863079c54d12f1a7f5fe6ad7078ebebd7d

SHA256
9cfbf91b2b3ed80665d0637fbf621d4e082fb29e129bb60c2a271d9b21123a4e

SHA512
c24b2aad3e65cee3adbb2d46438f840ceb5e46c7dff2d4560adadcbd788f97ee932cc0c928b248effe99d26809ad259e0aa61941de17a3cc9048607f48df15f3

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc32mfc.sig

Filesize
3.8MB

MD5
70a593cf81d143717c21fe75a1869356

SHA1
38de1275c5d744e3a0e1a272f06c1b056ef13169

SHA256
06a42a2809b5bc79e3b1e24e6fc589685023190845b8a6fa42627ca2c37a7d40

SHA512
ec488578fd5a219473b3b6290d40e0abdef1bf0d549979f2c865fc3f850f8fc4e063b7b08e3c1cb41f3c2c98a76acaaecfb2d89a53fb387659a95f4de07be8d5

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc32mfce.sig

Filesize
105KB

MD5
0fb109c73c899b482f4adcaac9b81154

SHA1
e22f11362622e021853ed9eb76bb4a869bc178ef

SHA256
04c7cdd2470bc63c89efbf4fed1281c31613bfd4612b51536f9cad6f5ca0b33d

SHA512
f832c6ff2424f8543fc723d82bc0cc4aea19a555a2af235ae45eb157fd73a7211055fd2469540bba78787c80c841733ae37099083b09e9da1ab17c838d1de9fd

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc32rtf.sig

Filesize
1.2MB

MD5
d809eec564ab0abfc77c421dbefe84ab

SHA1
8b96b296f82ae8ab238391f947fe1234ad4f2717

SHA256
af4854783e9805d3ffcdd77527d1f88f11a43df4435d48a23a7452c26d91fe27

SHA512
3187c8d61fc7f8ad930aea13d1c7271e9d37a2d1e372087df032e6b30d24ab4363091b335bd0810214b40b5c5b68f9c0c5770641c05547f46b85d09c5d7c1a62

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64_14.sig

Filesize
532KB

MD5
bcf87bad343481765668a5c18ad26851

SHA1
8d1e1a1d2949873d8b00214f6693ea83fc856017

SHA256
d12ed9165120fea1fa6c7fb7d5000f681ddf72d20d9f5267a68214218b17038b

SHA512
1a24087bdf2ecb9d0e067ce76f14cb030aa6058935e337d4faf6b1f09b09aafa2b55f5c6121a109bc689c3bc8c4480d487ceb3687ab70b5d34e7c61b300ae2ea

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64atl.sig

Filesize
35KB

MD5
abbab907a097ea6db9a868f9c209a956

SHA1
8eec6ac8b2a477258d8b4dd0b32c8eaa35290866

SHA256
3af82192edd3c7a8e9d4f69a74bb4d902947b68ab1d10a717f4099a39b56970b

SHA512
de6869e727d44dade9eeaa5d62244a2f7ec3add73e57d523de61c32e224ccd26b1b1822815e20297de0a3e30e8d262a8b6218baa1485a7e68d81b2a4d0304495

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64extra.sig

Filesize
8KB

MD5
4c4888594b9277a355aea2251a41ef20

SHA1
4b001980f73f786fdca90d9f3ebfa6af803f4a45

SHA256
a87ceaa9f68569c902fd9f535fc7677c27100b1d48cc4fa8b615335879e4c7cc

SHA512
dd932e119447ed4d3261f8ef9b18e6b2a6f63235881df25067fa383c334f9c4bf9efe09ed71d308aaf7ff59486775e5176898e924f759121ae482e68c7bfa659

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64mfc.sig

Filesize
1.6MB

MD5
6dfe9afc8e9061040baf0303cf2d3d46

SHA1
95e7ee683f486043f288851bd23f7d59700b5838

SHA256
b49b860347b6800e35a3b7f3252397011635d35ab0e173a68545011900953112

SHA512
2cc35c6bbc49c8af5c454d22c99503db383d470e0a4111f1df382326f016450b77d793a7af3ea5d8c06ca674c4d1eaba8bf72ff7240f6e892b07c92e1761706e

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64rtf.sig

Filesize
871KB

MD5
b33f23e6a0d530acb93ddba3ede74cc1

SHA1
7ea898b3f26a905b60da9071898d6e1af9c93901

SHA256
e40da366fec56742d80b606b57a37dac66f70326381a6185bfbda2a162290ddc

SHA512
b86ef3db13c906e4fa78d19560e973198925818b507144530b623da9380bc8eada79a3c9b97d941ee66f6fc6771b14de330430f9d3ac5e69447f6b831888f253

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64seh.sig

Filesize
3KB

MD5
d450fa792ec5161fc160fa54736778b3

SHA1
47a7f5ab55df1987ec2dcb2824e1e7c5b532ef7e

SHA256
71ea518f3a5823f1345667168157e6782a70bc1d4d712a1f736cfa5ded89c357

SHA512
2623279d23a419c37667ed496e180bcb63189dbe57fbd95ff357a558ad749e7dcf6d1185fd334efbfa78e66db46705cefd89566ac08705b7eefc0f208c15d8da

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vc64ucrt.sig

Filesize
368KB

MD5
652fe6563451a19a8272cd80170cb83b

SHA1
f2c6eaa8601ed6531d6b41aa03e805bac5c4d683

SHA256
ea23153132d9d78aa8a5766eaabc027bb9aee8c8f3d8f57e9411229c5c232649

SHA512
1e9844c640256fa11c0ebcf07fa75a4a0bf7548e8e1129df12e9d2dbf03a0445c29deaa5248e988ccb3044116d3efa97a443abf691963b62609e4b0bd85d5b8f

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\vcseh.sig

Filesize
2KB

MD5
f659ed744a583cebe8a9defb24d7deaa

SHA1
8b645042c421d4fa354dc2ec53898a309cebf6f7

SHA256
eb5c3515a7ad72a0436f6df8f45e02fd817a38bfdea783bb5897b85539789688

SHA512
8857002ff3a3c3467fd4d6f27ad7d818091432a0950816bef0e6db1c8207c84ee1e71b40a4217e0d0cf63c855a27d70bcdf5548801a2e93552a6ad2d0f3a9505

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\win32unx.sig

Filesize
224KB

MD5
803f49b221509dba553cea05346ff0aa

SHA1
9da5eec62e6b5d65cd5e427063b1192e31fa3e46

SHA256
661be014db25cbbc22e5b6da1dd5dd21b36a291cc5874b309dd784f0d0ab6abc

SHA512
e15c66de870a8e916ae5d159853723a55c5459804a3b353ec1b409bf71d6fd718df916c95f6eae4318faf9db011bc6170786a64f186403f87a55b85655deb464

Download Submit
C:\Program Files\IDA Freeware 8.4\sig\pc\win64unx.sig

Filesize
54KB

MD5
7c792ef9cc9797ec4789794870812f4f

SHA1
2f395399a375661f98b4a2dccb7bc070741dcab8

SHA256
d99dbf87db845de36235f9b5f94816b5c6bba743dba6d850401a3610aa884aad

SHA512
5224f02c9737986f46c802cb07a7dcdb6734592c42e8558026b5c4433c142d511f15cfd48dce7c1a4da141248361441be8328aa156b9b017dc27ab681178f4af

Download Submit
C:\Program Files\IDA Freeware 8.4\themes\_base\theme.css

Filesize
36KB

MD5
8ffc5e0332c179b39ea97838267de499

SHA1
65f52e9e5495095f25ad8cc98833db3504475d88

SHA256
95d9db914e2134a71317f3114b8ef6d82d1adeb7ef8aac5c46c11d31d6642856

SHA512
ca5839baa5ef439613493a17bfa74d1e525eefc14ac496ccf5dd4e270d3a75746e5e74a8f2344fb22dba619b3ebe9f50afdcb23e6fba8a1835aaa69eb309c39b

Download Submit
C:\Program Files\IDA Freeware 8.4\themes\darcula\theme.css

Filesize
6KB

MD5
18b5d9118dbde48b5a74d15415f53451

SHA1
162f114427288069f893e223505d9d4a1f4ed6df

SHA256
4e6b181cfc27a98ea6b829a84869579b6d44dc94ce2975bf5cfe58cbbb06e070

SHA512
6982daddaf6aa849d8918c10bb2dbc26a046b0d187b42a51759214619c6a77044374d31920d8a817328426ffc1939e4d659cb8d1410f1991d96c31f45764dec5

Download Submit
C:\Program Files\IDA Freeware 8.4\themes\dark\icons\expand.png

Filesize
15KB

MD5
88d318482b3de1a8ada927e659956549

SHA1
379322d9c42b9b9e1a3aee41b92122db8642901d

SHA256
98f79ce976eb484581ca168fa01679a40cdfc513f19479e6aaad9b078fc1d456

SHA512
cd224d454f58b33feee4e04a3156e61c75d42e670de6dbf015028045edb1f30029e2b44709e8459e3dd5934966bc83488940cb42b08becb23881107d63358526

Download Submit
C:\Program Files\IDA Freeware 8.4\themes\dark\icons\spacer.png

Filesize
20KB

MD5
fa8ec07db9e8bd0a335ab244ed005724

SHA1
8de58a612454551c1bdb6f126932add3be0f9013

SHA256
627a73dec6ba1569b2bbd1ef41ecc3dab437afd470bbafc45609b3fb019f5525

SHA512
e3c3f932bead75b7f1c4b71d5409a932bb79e0fa537321591d4aa3a9667ffdfc194bc0bdb6d1261f676678fee7f3acf110847316c30848f5cd9c87e9ac51b230

Download Submit
C:\Program Files\IDA Freeware 8.4\themes\dark\theme.css

Filesize
9KB

MD5
2ab203d1d8f513cd42656457eaa3d874

SHA1
34c3e380535d3fc51a2301da6bb88a30660b3e2b

SHA256
c841c3475a471ae608669b8dd2ad0bc0cbe27fa7038775b82e51efdc5d0fe195

SHA512
e15990b3ef9a4c53e4e5753682336499eda0dd581ebe0145423446110f124992a4326bfc6f042cf65564765a30abc21e018e98442c73912b27af1cd78918322a

Download Submit
C:\Program Files\IDA Freeware 8.4\themes\default\theme.css

Filesize
9KB

MD5
b6cae5b360c999ccc6de5039d4e9f14f

SHA1
5a4cadddc06b09b785ac95143598671b0a015e33

SHA256
57b025b6bd38c0b574988ef04267367428239c782b0d408da8bf787cd01186e2

SHA512
88502cfe60e7d564ef68318a310e5c923eef1865737e723cb281cf960bbb999accd1bebb27509fee2c0a6960397df10e46afec1f31a6d8257bc3c4b833c3a5cc

Download Submit
C:\Program Files\IDA Freeware 8.4\til\gnuunx64.til

Filesize
1.2MB

MD5
f11e6d89664e9e95c1e8117e092c415e

SHA1
0b4c89cd427fe166855b5b893cc44ac7abb1fd6e

SHA256
b01bfd7226efc80ef711ad57137f89a8a7adc4ff14acea9709c5aaaf9bb6a7bf

SHA512
f06ba3510135ab1f51b40f3155fd50c5e087d44c397664b6268dfd7bbae4fea15d347e89d80e4cff81fdd4e55c991352c9b572b8ccc40f16eb18e1a9f88b362b

Download Submit
C:\Program Files\IDA Freeware 8.4\til\macosx64.til

Filesize
954KB

MD5
e1d68f757af176cd69a3fd1fd6808baf

SHA1
541d224f35e01ba372dfe0ada68e3610091e92c3

SHA256
a301d8bf8406857f5a6406e3738ba36367d1c720b7beeb87786dedf5ef602596

SHA512
aceb7f72c5a015a887d19bad7d27df35f7222ffcf2eec564d6ed7fa215246854a9f026d69bcbb46f38831b7e05f95203a091e0dabea09b0a283e2027c540eaea

Download Submit
C:\Program Files\IDA Freeware 8.4\til\objc64.til

Filesize
39KB

MD5
43f4e4bde98bd870efa8aa8d90e006d5

SHA1
964a82557964908939127829cbdd2819c06c872d

SHA256
374a488ffd7f8694123d57c7a04d564528c9b585765bffcc4cbf9ec5b2cd9025

SHA512
ddf046a69f730126113db828c7cb59f46d3019f47da791d651a01f3da5cd82dd17b3ff833a32113d49301923b74621e279792a475bc25da73ae1352194c1d9a2

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\bc31.til

Filesize
25KB

MD5
daf82a4c4a93f0714bddb6512cfc11b1

SHA1
9aca16b26768ffda924b137d073366ac8e0de71e

SHA256
abd2d82ac9c253f67465d6f82bf16bc7146357cc2c0532d90b8fdb0a0a0afdfa

SHA512
941912b205561f048a1f4e44cb0cd166a55b9efbc9461da5e14646abe220ebeb665ae5403a4e3ecbc47c4fc58708b98a6d6b92311ff8b49d6fcf18accd18ddda

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\bcb5win.til

Filesize
654KB

MD5
b6555c2acaeb0cc9181c33221038a37f

SHA1
225158997869ade3d1bd72def0617ae6739c50a6

SHA256
e0e5d36346d2e31f9cf19681a6fee41fe7953898fc2055264dcb74d6f0887eb7

SHA512
17f98b1e4988d11e8f4a3fe1e2295b0cc0132e23202ac85c4bede526e63b57affec3f2a63f5b40ecf85fd9cf78979ec5a887cb3e6cb1671c930f3e35d2226063

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\gnulnx_x64.til

Filesize
15KB

MD5
36ead1da435276ca39c17a95ee6e9089

SHA1
85d87870d2a57a58527bf29d062e15a833617f8f

SHA256
731d8faf79ab3875338d7d9d03f8fc583f89fdaf92f5c484ba79e902cfc2b0f2

SHA512
bac31ddab91cbb500553b878cfa2c87090758dc4539a6c0af77aa3d79554824151be6e4e6ca8dd0ff3a5cd2bd860a5207d74acba899bd05facba0eb00ed07ba0

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\gnulnx_x86.til

Filesize
16KB

MD5
a032c62c57acec17547b4fda7950cacd

SHA1
35b3c06a1b53dedd27e6279fb0b83bf944fe1c7f

SHA256
d2e2a613f9317b498d591cf9c7f4f634f8bef14a21a5870fc75c4545831074c2

SHA512
83e71a52e8ecd1459b4fbaaea777f6ccd1ba90c8a1fb0fab5189e5181bef781200c1f8a5d9dd1d76a7ce81a7f5eb5cd75f0d9c3c3beaf61b66b63bea9ec1daa3

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\ms16win.til

Filesize
191KB

MD5
64441c0f0059e12f77a0f0df560a12e7

SHA1
1e8d1aa8ba94ba98c9e794e5b7d63ca67a85a216

SHA256
3cf092e52069cc9d5bb2a010f7ba13203b910feecdf9936eb3617bf34e3742ab

SHA512
f4728610a78821a144ea88c8f92298da3aeea5bf7b1d1e90f6aa0607b1b0c232ef96d4f9bfc1b5a731714fa6c841095fb51064195dd0a271aeb66716ff09a9aa

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\mssdk.til

Filesize
1.4MB

MD5
2a76100ee46976a28d19a44564c369c1

SHA1
82ee9e4bd9592f11ada181ce5d495d57de263538

SHA256
7062cc77ba12737c8a4b549e08b1fcb57ee96d0d7614f7ea2b877979cfd3642c

SHA512
6a1eb5e4d0a9a9a7713e8172f14bdad161b04b4f6abbbc79aef3b43e975640094b87fc05ae3996f0bb5689598b51a7978b6d881259c40fefd9953891ca3e2f29

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\mssdk64_win7.til

Filesize
1.2MB

MD5
6b4e2556ce8af514fbeacc75017b6721

SHA1
5ded8e86357cea4146f82e82c638a2d7d75fb535

SHA256
1ca166e142e76da60209871a8554af0565e5fe0e2223435f04136696ed400bd2

SHA512
b02e7201c079ba058890b14733497b8bbadc9d346122d3f5206c27e8391f644453768bdcd37e802972c8ae45571d4c5e384eb536f69f809e329b8da04adb9cab

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\mssdk_win7.til

Filesize
1.2MB

MD5
0b82479898006be3e9eae6bebe9a2149

SHA1
a6ee094f542e27cd59d3d0922d99fff0eacbc565

SHA256
a336f00140d01367a6bf13840dc046ef6310297d4dc348b08bfa3a29064327f3

SHA512
f879e80d405b2c3bc3b8437196278bb54ad3b4abffd0a2dd1abd410f8269c5916d688bf0b0f8a7da8f61294cd25f75cdd28e9f2e084be2d96de191010de4ee62

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\ntapi64_win7.til

Filesize
428KB

MD5
89a256a3132bfe81f787185e6aad0266

SHA1
c0782b4583b5219c0451d0653e5275ca9fd5ddfd

SHA256
0ca660bc68815fdde6d704d134c476345be5140c8ca6563fc1c2aaf351a83d3a

SHA512
e521816f4c678ad1781a0010d2922e34b57d1510f9570fb57740b47a962b21340d42dab32ef643239c18fdc85e31d3f911fcb0d66cb2df5143008382cda93c65

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\ntapi_win7.til

Filesize
428KB

MD5
8e91154d1e168ee0951e0efc7700aca1

SHA1
e21a16637e0d31c4c40121beb531930e2ccfb29b

SHA256
c77ba2060c537d048a9b852c611c4bb7b3ea50b905248d0514417e2f0bb82fef

SHA512
abe0f68acd8cce707a56fe9dfdd2623e4bfd0debb53f850c968d34250f617cfd461a6eac5990e14881d01514886cf1081aafb8fd508fb909af055189259c90de

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\ntddk.til

Filesize
1.1MB

MD5
6f54d44cbfaccdd0dfaa3b0bb1f7bcae

SHA1
90f527cca7756b1b5f2dd30166bbe96b596c1873

SHA256
5579bee913c9431c9f4a01fd8bb97c91df3d68baad1be69e3200e61e880ab63e

SHA512
6889aa1c1f0b773b1212969727131361cad7b7721b7c640a41725934da9746d13cb64715e8c40f5852ddaa86f83688c0846e010442fedb756288a051ef38a7b0

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\ntddk64.til

Filesize
1004KB

MD5
e7381ac16348f9f7665797f47c09f2e8

SHA1
b2d8f5033e2033f390a7fe2c955fb8dcf9e67667

SHA256
b6cabb8a1fbba7ee66482d56ad515057f22d57dc36476424b442bed90e7d1720

SHA512
c30c18a9e6eea11f4b5f2088fce01376f7616588f02812f77bd9515d745dede60c76f37553333740a72a7f975086be2beb3ccb09022d4e5e5f2a5763a52a31b5

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\vc10.til

Filesize
57KB

MD5
a612ed986a433af427fa63d7da58fbf6

SHA1
2da6a2690f2fe31785d87097d14235653bd2ef33

SHA256
2fa9585da69e05741692879ec616336064802e944211c0b4b9c01ceef8e728a1

SHA512
58230af8119ca6e07e867b23e41b1042a9d578755572364c76c85f70c10fe819ce066df9f49ad59fbf3f281d7cfc818b5cc45d1092501799b15a3f4458c9ed30

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\vc10_64.til

Filesize
1.1MB

MD5
1f79963690f5156877f2cb97137ed7d4

SHA1
6d68db13b6b517c8cbce2411ba9adf5a2a0b45d2

SHA256
45a7262b729f0d72d994f9eac889d0fe8adb3db1d1210919b6a82b7888337910

SHA512
43d0f937dfbeb4df2bd8a9bd287d05071a08c72c61b834bc98d755c954b8d124062468ff22318d42a2f7195e8ece56f174a6e11eef629f90743f405e0077c371

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\vc6win.til

Filesize
960KB

MD5
7d0ab6db8ed3a7e543966d210bb8bfc5

SHA1
e92ae9da4b92673b0711d6deac6fcc9430fbf36a

SHA256
78784ab42882b3428b66c551e1ead875f6ae26d312cab0c42bbfaa4493098af7

SHA512
ea149b7929a60f29bff345ab0f47804d4b60abc45d27b26a701bfcd831fae2b8361b988c10b47361bc7d8cbb84f0f28d410f2a4540920e788ce82c29767af0a7

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\vc8amd64.til

Filesize
1024KB

MD5
0e16ad7c1eef051ed2dad7b6e52de39d

SHA1
869f42ac094b4414c0c77c7759099f6ddc29dd6a

SHA256
7367b6a4be13bd61039a29af156d7bc4930cce82429fc82e79d878fde91da930

SHA512
a141d8ef39eae8b9bae42e48a52f4101d3183ea8d1798b614262fbc632d8f205e12d349865eb6f4354635b175f018588a7780a572b4e29f5136093414c45bece

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\w16dos.til

Filesize
25KB

MD5
ad17b4450c74ecd0dffe3cc5c956609e

SHA1
13145357126049648a474afcdb9db8729587ed21

SHA256
66c0aaebd27a21c93ba89a98a92ce570605ff6a7a1706a76ca5f105c0f0b85f5

SHA512
ffb2f71cbaf4e12c3c4b17bda6cac0caf188b9ea394e0dc04b6aa918b2cc612fa7f750f484c3e816747a7dadf50c5b7093e79ea9f474497dd053e6e845a29780

Download Submit
C:\Program Files\IDA Freeware 8.4\til\pc\w32dos.til

Filesize
25KB

MD5
c670af6b1aa85ec91d2f3ad00dc5769a

SHA1
be01e6c68c59103a99584f65967e38574fa36f35

SHA256
6fd1573de926ad737231341e805bee87a8c4692be10612b9460266d60b9da213

SHA512
6f977991e75eb84dfc5670329d664b3f3235a32868ac87e2f5b41c0887d4c5e9ccf363c674ac502ad9d52b6c054916bdb773120a5babc4fe40a6f3c3e6bff445

Download Submit
C:\Program Files\IDA Freeware 8.4\uninstbr.000

Filesize
5.8MB

MD5
1103640a2963f0b7b9cb5e2690025558

SHA1
324fee43f236679dc66373b3ebbaf353e5882280

SHA256
4efad6573c23f222c4317b8b809f96e4dd26689e3be77d0387fb1c6e1fe55470

SHA512
5fa2c29b11b51da46f626a9225950caa59d5653dbc7344d6203eb120192c48a55bb33cccfcee34dfdbfce84d57c616cb254031af014cf217a9fcb77c9c2f5393

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
583B

MD5
1c980549a1684d50494e3813965efc63

SHA1
6282a474ae8672967fc3d271fa7fc6c33659a78e

SHA256
3fa6dd3cf4033fd155300b5e5017239f105103fc0afe74e45c4b9162c04b316e

SHA512
97241ebe20372d0506000db6d8f4d1ee1a560f4dd143d03d499065525422387aba10527946050bf1c759132a745936b898cbdd29730e61c0c0c5f4ab72722910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
34KB

MD5
02214b097305a8302b21e630fa201576

SHA1
90c2a31521803b73e847f7a3e0cfceec84df9fa5

SHA256
1d98076cfae6a0a8f0b0b1c654270b900de83e633cc01d98ef63e6a8e485a3f4

SHA512
553c81eb51880f83b9918aef766ff0f41170895b1cda2589f0b69c3d1362de8e8decf14a413f6b5df1fb7ce07fc939211407b29046188b37c290133c9d5e1cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
1.1MB

MD5
805392659850fdfa60226fd42ef81971

SHA1
10470407571d6def6de4f96c9a2b0c3f7a47cb18

SHA256
45ae0c1890c434bc0cb4cf2cba10a8dfcd7dcff7a40f653bece6f2c9f02da195

SHA512
f9ac02dd1b2448af61ada309de1cfd8d3c18e2d726b188c4d0ef088d2566256cfcab2b613357f3156c3d2d6d3763d7e70e95ecd61127d1e7ff8749a1b71b5023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
74KB

MD5
bc9faa8bb6aae687766b2db2e055a494

SHA1
34b2395d1b6908afcd60f92cdd8e7153939191e4

SHA256
4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed

SHA512
621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7202f1758f550ab75e25f1fbddb7f494

SHA1
73134d1f8e2bd8ec7200cf1e89421c6f428b577b

SHA256
dd5c6b10d6f2f0ba38f1b48d4a994db2691889479e0bcfd514d397ccaa6cd5f7

SHA512
9e8e6e563423e699321a9c3e5ea225edba0db206ee7beff37350d1688c7b8942502c3922dd1c3e42ff4cb22d14fc42d47b94314083b060166e2eafa2aa2bef73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
13d80070357471541e0223a080d4a404

SHA1
c0f2af214621b31b7fce5b82778802c59526621b

SHA256
ffc24a1804fb1f50d1b87b34f3badd58b5adb1562eb94b988c5381e62f9bcddc

SHA512
1913ed73e2e6e053cde00abbdc81f0129d7948d243a12a3df933f2c1755711ce98a00370b2fa71658a78e31f8dff3f9c1d4f8baa852fbbdd5b9ece4e3d03d7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
478a8eb2524b322629223857cab04184

SHA1
383c9ca5bd7f0340809af015a5947fa3a8ba9ba0

SHA256
2d931132beb3a15f992d8f4b0c0e648e13391e18f58925daf9163933f04dc7b7

SHA512
189e8d1aaee1af045ad237568292a4d68e79d0af927fbe54fb8828130fc61ae7e3299131909279b0df933b96093471cda829acac5da740d29bc9bf949078d869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f506186ebc16b7b077e1a1b49c4354b3

SHA1
6b43b8da5e3b2376f0de679d76db7154e6fd10dd

SHA256
4fe923e20f99cb5898a9d1b9fd6f159b1723aac28deb7072e2bcc44e291eee07

SHA512
0208de32e53afd57d453a18df352fde76601e619a6c801a49d1df04a4bce79719202258e7af4266a953e89982bd8c7aef05f9dae8ddd8792163d0c5282132e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
173b04c98fc8511bfb2d73b5fbe09ba2

SHA1
c5c0d19dcc9dae25ad3c00c2edbef880d3c90cc9

SHA256
acc9250932acbce7060d92b828cca6029d80070aa9e5ce81d6e99a917b564b9e

SHA512
b823770501dbd53b24d969bf20f3765689497133f578047331e9b5dbdeb68ad89d77acd0a2fe0fc58e1a8867c2b100593a956f8db9eb6a0cbbba3e243e6203ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2071e38069fbbe349e7109602e0c5691

SHA1
b5ca7e06651b98f67b5002ea9749b8cb607c2982

SHA256
aca965ab0de701030706393eb8a033cf66d383e47e8c6bdef7a24df9c1daf3de

SHA512
4df9fc0ce82a8b12f25d543879854d7a16067f79766a682e39b97cca1a5fb979367f5921c20ab709399383c1becef4f4b6009f2a0d6e029632de405b9c4d3755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e56e99ddf600ffba7953482753d77dd4

SHA1
53e010675e2ebceecf7cc9f65fcff50af17bb9e3

SHA256
c7215021b6f6877f4b2ea000f07934139d9962bf39700fa78a71446b71aebee3

SHA512
07e0179b2198dbb1d686ce11d86990d83c3caff94cab6730c090c0fe144d9eafc8d248629c026b060c7ddd91ce0dfadd433a28d4274ab31c0c29dd5ae5c2169a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
312d0d2d6f2fa23662f332247b4c2312

SHA1
295094e92446d523b9554d190a28f43ccde49df8

SHA256
0d26e1bf80bf6582ae87c4c20bd6253a64a3042b105c066e893cfc210f113c60

SHA512
def3825553b9362eeaf066382ab2787d88060009dfcb9bee280f1d5c738d8cfaa83958555adb9ee060f0f7bdddec6fb3d30ca5aee1bc3b5b4332be3757f0f293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d512354f015dda818c079a954745dfd7

SHA1
1449ec216992d5f80cd769e5c4eedcba44ff1d0e

SHA256
67298afb53f76f6a138cc04ca72a8234d4a9c11c3e96b72b3af4a120db7e86a1

SHA512
65fbd026e8f09bd6bddf925c685773f233ad8b18930de7f76e71f0ecc697f2717ae2e76a00959c793c5754fde9174b940c998799235993872b13ef209d429b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bb12.TMP

Filesize
706B

MD5
cf36421d44c7bc9ed90ae2f824449892

SHA1
5d2621110af17f81f0be217a26abeca537615ce7

SHA256
9ca7606dd1c56bb579c2aa7433e56f47353e8890591f77dd0c30cd17568aa8c7

SHA512
b84d746f4a4240967e1165d6d9c1c22c79df785772002a2babc70708be44c47c95c0db9aca03af0a827d45a00707654cb4e12b1885b818e9d0f98f0efe66d3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e6e18e9e255df30302b18983af487aae

SHA1
41f8bdf11d91fe0770af19e6d9a5e084b2b6cb4d

SHA256
db5ec26a5f716db9103149e32d7433eb325dddd51f551a8cc2307e3929c5c34c

SHA512
5912611dd82526599c4d5eda627350a6236d25a8e96c2d7f0d9bf78ffa6e8c49d9131ff248a389a00188d21c9ce5ba15a14757c5ce93ed24ec8c51d592f21c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BR2D.tmp

Filesize
56KB

MD5
145d5c49fe34a44662beaffe641d58c7

SHA1
95d5e92523990b614125d66fa3fa395170a73bfe

SHA256
59182f092b59a3005ada6b2f2855c7e860e53e8adf6e41cd8cd515578ae7815a

SHA512
48cb0048f4fcf460e791a5b0beca40dbf2399b70f1784236b6d1f17835201d70dfa64c498814b872f57e527793c58a5959230fe40ddf5ebdcb0b1de57e9c53ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF7C4.tmp

Filesize
43KB

MD5
99b50db8d177a51b7077084bb75673b5

SHA1
ff68863631241c2159cecdd03f5101e628b25bf7

SHA256
09db806002dd23cf97d5b8057a792fc90d11fe5c595f63f92f5c4494b33cbc6f

SHA512
fc5b6d06f95fedfbd929ecb2ed5f86cd0fd797140b54be29b23c8096925c3025504d0613f85ea4c2f0e459b8cd59dba22395c8348801a332d6595bd83d87d4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF871.tmp

Filesize
288KB

MD5
122a3741699fb5c0950273245c9dea15

SHA1
811f9149e3310a8e6521da156f92f3aaab012145

SHA256
f675eba3b22e0a2238ec4961d99de3bacca0ab553ab26eecb49800a12a9371ab

SHA512
567c480f70fdc78769ae45bf83b6632f7ab380ebeb00689028d39ff03840c8b778149a3fafe1dab2ac77a1fd17a23b09f58774b1c5e791bfd33b99528225eccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF95C.tmp

Filesize
35KB

MD5
08ad4cd2a940379f1dcdbdb9884a1375

SHA1
c302b7589ba4f05c6429e7f89ad0cb84dd9dfbac

SHA256
78827e2b1ef0aad4f8b1b42d0964064819aa22bfcd537ebaacb30d817edc06d8

SHA512
f37bd071994c31b361090a149999e8b2d4a7839f19ea63e1d4563aada1371be37f2bfcc474e24de95ff77ca4124a39580c9f711e2fbe54265713ab76f631835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF98C.tmp

Filesize
121KB

MD5
2f427b95ab4d18e83f89a001c6b861ad

SHA1
56d10658f71f102961ebc334d277728025d01cdf

SHA256
00ec351fd1e77bcb5bf452b9e8dc5b386c65d74d02815b0adebb70fb57db5416

SHA512
ebe0b9ca89c2ac2e70d23043b495a21d5c29b5e22ee458641119b7394ac307ae50cc2f636fc409ddbb2039361547106961dabcae0c123055c315f8f900074d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF9AC.tmp

Filesize
532KB

MD5
a6f7a08b0676f0564a51b5c47973e635

SHA1
d56f5f9e2580b81717317da6582da9d379426d5b

SHA256
5dd27e845af9333ad7b907a37ab3d239b75be6ccc1f51ef4b21e59b037ce778c

SHA512
1101813034db327af1c16d069a4dfa91ab97ee8188f9ed1a6da9d25558866e7e9af59102e58127e64441d3e4a768b2ad788fd0e5a16db994a14637bfbade2954

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF9AC.tmp

Filesize
384KB

MD5
244b008f537c6cd46e5966239509f5eb

SHA1
0e7aed119aade535838f4f78cd2be2b3927eb6f1

SHA256
267b3751600d37b686619a06f83ae1e643f6a9d05892fe41ff18a04fca4aa8cb

SHA512
e48efcdb3f8efc4558ef7585d7a830ff48bfab5a9a72a02a6435909d550b7a5c1b2a2948a19a18473e0ce97f561f75e3e067d5ba4209125af1f0e305ce8931d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRF9DC.tmp

Filesize
72KB

MD5
c04970b55bcf614f24ca75b1de641ae2

SHA1
52b182caef513ed1c36f28eb45cedb257fa8ce40

SHA256
5ddee4aab3cf33e505f52199d64809125b26de04fb9970ca589cd8619c859d80

SHA512
a5f2660e336bf74a1936fb2e1c724220d862632907f5fd690b365009ac3e1bf35fa6689071f3da4049e495f340ff83f8438b79079ef1f248b9dcaedbdd5d3e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFA1C.tmp

Filesize
14KB

MD5
77fe66d74901495f4b41a5918acd02ff

SHA1
ce5bbd53152cd5b03df8bcc232a1aea36a012764

SHA256
b017168c69ef40115141813e47122391602e1af28af342c56495b09f1c3c7522

SHA512
cc6e323d0076577a0a04dbe2c33d90dc616cb5ec3637d3df67cbf169766ca2e6de567fcff4f32938fd6118d98e4796642a3010b7264f0ae247fa8f0fe079bd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFBD2.tmp

Filesize
14KB

MD5
d74aadd701bfacc474c431acab7b9265

SHA1
8a2b424d1f949430ddc1faddee3e9ccb79c95de2

SHA256
f1029f5cca3dabfeffe2c9db6ad84a9ff0f64f5b2fb85cb6ab348740f756e07d

SHA512
0ef85e311fb4843997fd5f87f0a2eec9715e26eae76bfb7bb701d8c043720aeaf7f4825d25187bf35e0a9f00def15ed071120128805445f1330c07c3e0ea5ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFF5D.tmp

Filesize
74KB

MD5
924b90c3d9e645dfad53f61ea4e91942

SHA1
65d397199ff191e5078095036e49f08376f9ae4e

SHA256
41788435f245133ec5511111e2c5d52f7515e359876180067e0b5ba85c729322

SHA512
76833708828c8f3fad941abeea158317aff98cf0691b5d5dfa4bca15279cdad1cc23a771258e4de41cf12a58f7033a3ee08b0b5eb834d22be568ea98b183ccd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFF6E.tmp

Filesize
102KB

MD5
78de24eb7826b1338849ff0348a7e82b

SHA1
03080b8f1c9a7a46951d35f8623ed39c4ba4f722

SHA256
5101c472779b552f3ce044bc2542f726068d914c0d396c8dc1d99ec1aab80767

SHA512
f24ec06717cfbe0d2fcc4ce591b6b5161183c8f62a2db0a43512c676fa1345ddab397f7db6f612c4587ab431274d56bba58c71943afbf60276e45d404429ff64

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFFBD.tmp

Filesize
24KB

MD5
4cf27e0747e5719a5478aa2624f6b996

SHA1
13df901e34f77e5ea11f36c0afedda7f86a2c003

SHA256
e69a9d06f2c17cc021ebf9b62ca110548facdc147b67dea4846e09865043d2d9

SHA512
4b0ddcbd7321128f977e1dbbe18cc76c7e489d4ee84b7775989e99778b5a60daa683c6063c5b700794b7f2070ae381fef20b19b3cb35c1babef9be79ff264941

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFFBE.tmp

Filesize
24KB

MD5
124e89d0fcc409ede3595a253b788708

SHA1
bc88e037c3edea02dd20aeff10818105be9f4033

SHA256
27ea1b57a3024aec4a03188e80fdb2aa301fa5179c19be9c8b0dfc2aac73a114

SHA512
7cd0ca268a5dbd2aa22dbce1f253a2d067ca30c5195e059c3f431d546a20d1811592f8bd8fe88b6ad9cb5c6fdd6a4666ff451b84a5e790a9d5058865d48790b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL0000049c\BRFFCF.tmp

Filesize
100KB

MD5
606f13d4d580b1f322b3f3d3df423bba

SHA1
02cb375e13b415edc8b5360dffdba531e47827ed

SHA256
c71a16b1056e522cd0365449448116d06f37a3273d77694d170340064511dd25

SHA512
867a45dc15e99148f24fc528fbc9255582e5534bb4696700292b70163fddb15f35ddf2acd0536a9cd78b4d8f9d827bf7530d2303bfd7e428f11573b381a0986c

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE.id0

Filesize
504KB

MD5
586cb6bf13ad05c7667e71b626fc7b68

SHA1
7e153c34285f3f2da429180d63d4e52cde924d2d

SHA256
590c47de8260264861741e7d1d459c0ebd43fb23c9a2328c40f701d29aeedf5e

SHA512
5b66909f5ba2757ccb7dbf96702e697acfd0fca2ba5a2df576fe350325f313d8aa5d967861d4e4af52c5877329b665243ee680a285f5eda33d685578f6e5bd7b

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_3924_OCFSDCVPUGJZYBYD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1180-394-0x0000000075240000-0x000000007524B000-memory.dmp

Filesize
44KB

Download
memory/1180-386-0x0000000002D10000-0x0000000002D1E000-memory.dmp

Filesize
56KB

Download
memory/1180-1435-0x0000000066680000-0x000000006668E000-memory.dmp

Filesize
56KB

Download
memory/1180-1434-0x0000000075580000-0x000000007558E000-memory.dmp

Filesize
56KB

Download
memory/1180-1437-0x0000000067C80000-0x0000000067D0C000-memory.dmp

Filesize
560KB

Download
memory/1180-1436-0x00000000710C0000-0x00000000710DF000-memory.dmp

Filesize
124KB

Download
memory/1180-1438-0x0000000075240000-0x000000007524B000-memory.dmp

Filesize
44KB

Download
memory/1180-1439-0x0000000066C40000-0x0000000066C4B000-memory.dmp

Filesize
44KB

Download
memory/1180-1440-0x0000000066C00000-0x0000000066C14000-memory.dmp

Filesize
80KB

Download
memory/1180-1441-0x0000000067E00000-0x0000000067E1B000-memory.dmp

Filesize
108KB

Download
memory/1180-391-0x0000000066680000-0x000000006668E000-memory.dmp

Filesize
56KB

Download
memory/1180-392-0x00000000710C0000-0x00000000710DF000-memory.dmp

Filesize
124KB

Download
memory/1180-393-0x0000000067C80000-0x0000000067D0C000-memory.dmp

Filesize
560KB

Download
memory/1180-1194-0x0000000000FC0000-0x0000000001293000-memory.dmp

Filesize
2.8MB

Download
memory/1180-390-0x0000000075580000-0x000000007558E000-memory.dmp

Filesize
56KB

Download
memory/1180-395-0x0000000066C40000-0x0000000066C4B000-memory.dmp

Filesize
44KB

Download
memory/1180-397-0x0000000067E00000-0x0000000067E1B000-memory.dmp

Filesize
108KB

Download
memory/1180-398-0x0000000000FC0000-0x0000000001293000-memory.dmp

Filesize
2.8MB

Download
memory/1180-378-0x0000000002BA0000-0x0000000002BB9000-memory.dmp

Filesize
100KB

Download
memory/1180-1357-0x0000000066C00000-0x0000000066C14000-memory.dmp

Filesize
80KB

Download
memory/1180-396-0x0000000066C00000-0x0000000066C14000-memory.dmp

Filesize
80KB

Download
memory/1180-1433-0x0000000000FC0000-0x0000000001293000-memory.dmp

Filesize
2.8MB

Download
memory/1180-389-0x0000000000FC0000-0x0000000001293000-memory.dmp

Filesize
2.8MB

Download
memory/1180-1359-0x0000000000FC0000-0x0000000001293000-memory.dmp

Filesize
2.8MB

Download
memory/2364-3006-0x00000000741F0000-0x0000000074272000-memory.dmp

Filesize
520KB

Download
memory/2364-3007-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2364-3008-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/2364-2972-0x0000000074130000-0x0000000074152000-memory.dmp

Filesize
136KB

Download
memory/2364-2959-0x0000000074160000-0x00000000741E2000-memory.dmp

Filesize
520KB

Download
memory/2364-2958-0x00000000002D0000-0x00000000005CE000-memory.dmp

Filesize
3.0MB

Download
memory/2364-2956-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2364-2953-0x00000000741F0000-0x0000000074272000-memory.dmp

Filesize
520KB

Download
memory/2364-3009-0x0000000074160000-0x00000000741E2000-memory.dmp

Filesize
520KB

Download
memory/3420-1553-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3792-1455-0x000001F6C20F0000-0x000001F6C2100000-memory.dmp

Filesize
64KB

Download
memory/3792-1487-0x000001F6C20F0000-0x000001F6C2100000-memory.dmp

Filesize
64KB

Download
memory/3792-1452-0x00007FF6E4C90000-0x00007FF6E5100000-memory.dmp

Filesize
4.4MB

Download
memory/3792-1453-0x00007FF9BDD50000-0x00007FF9BE2A8000-memory.dmp

Filesize
5.3MB

Download
memory/3792-1454-0x00007FF6E4C90000-0x00007FF6E5100000-memory.dmp

Filesize
4.4MB

Download
memory/5892-2890-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2891-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2895-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2886-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2885-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2884-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2892-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2893-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2896-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download
memory/5892-2894-0x0000020A757D0000-0x0000020A757D1000-memory.dmp

Filesize
4KB

Download