wannacry | 9e7a8780a67bbb7153e1d0028009f4b9be9c7f7a62c2566e221bc81a57c28a05

Analysis

max time kernel
548s
max time network
552s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30-05-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlitchrollV2_UPDATED.rar
Size

9.4MB
MD5

04c69c43747f2f583a46b546b718bb32
SHA1

9cd561e13af9479ba74a86416d218425bcbf7a66
SHA256

9e7a8780a67bbb7153e1d0028009f4b9be9c7f7a62c2566e221bc81a57c28a05
SHA512

daab355dd8d8b9759b21ff179c2dd7350a16b0266c2201ac92c1b4ac1a3e99305a7f8d949990f0332132a1213c507483cfd967e3bb178bf713a377b38c62084e
SSDEEP

196608:w3SQae1xlRLLtd61sN7up52/y1X52lMEViRd/9Ti/s+Y:Cai3RLRM1sN7ueO5DEs//9Tiw

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD771A.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7713.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 25 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1868	taskdl.exe
5428	@[email protected]
5492	@[email protected]
5604	taskhsvc.exe
996	taskdl.exe
4220	taskse.exe
1624	@[email protected]
4272	taskdl.exe
3616	taskse.exe
3212	@[email protected]
5308	taskse.exe
5304	@[email protected]
5328	taskdl.exe
5400	taskse.exe
5404	@[email protected]
5424	taskdl.exe
4672	taskse.exe
5292	@[email protected]
5336	taskdl.exe
5740	taskse.exe
5092	@[email protected]
5420	taskdl.exe
6704	taskse.exe
6700	@[email protected]
6812	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

5604 taskhsvc.exe
5604 taskhsvc.exe
5604 taskhsvc.exe
5604 taskhsvc.exe
5604 taskhsvc.exe
5604 taskhsvc.exe
5604 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2984 icacls.exe

pid	process
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe

pid	process
2984	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waznenvck896 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

67 raw.githubusercontent.com
93 raw.githubusercontent.com
101 raw.githubusercontent.com

flow	ioc
67	raw.githubusercontent.com
93	raw.githubusercontent.com
101	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5984 5492 WerFault.exe @[email protected]
4128 5492 WerFault.exe @[email protected]

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	pid_target	process	target process
5984	5492	WerFault.exe	@[email protected]
4128	5492	WerFault.exe	@[email protected]

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615493342472218"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 7 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exefirefox.exeOpenWith.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{385019E7-D20D-4428-A325-BB684317C573}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5136 reg.exe

pid	process
5136	reg.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exefirefox.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\jigsaw:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

vlc.exevlc.exe

pid process

3768 vlc.exe
6432 vlc.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

chrome.exechrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exe

pid	process
1520	chrome.exe
1520	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1456	chrome.exe
1156	msedge.exe
1156	msedge.exe
844	msedge.exe
844	msedge.exe
1400	identity_helper.exe
1400	identity_helper.exe
2624	msedge.exe
2624	msedge.exe
3424	msedge.exe
3424	msedge.exe
3556	msedge.exe
3556	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5604	taskhsvc.exe
5692	msedge.exe
5692	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

OpenWith.exevlc.exeOpenWith.exeOpenWith.exevlc.exe

pid process

1100 OpenWith.exe
3768 vlc.exe
4744 OpenWith.exe
6300 OpenWith.exe
6432 vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vlc.exechrome.exemsedge.exe

pid	process
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

vlc.exechrome.exemsedge.exevlc.exe

pid	process
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
6432	vlc.exe
6432	vlc.exe
6432	vlc.exe
6432	vlc.exe
6432	vlc.exe
6432	vlc.exe
6432	vlc.exe
6432	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exevlc.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]OpenWith.exe@[email protected]firefox.exe

pid	process
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
3768	vlc.exe
5428	@[email protected]
5428	@[email protected]
5492	@[email protected]
5492	@[email protected]
1624	@[email protected]
1624	@[email protected]
3212	@[email protected]
5304	@[email protected]
5404	@[email protected]
5292	@[email protected]
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
4744	OpenWith.exe
5092	@[email protected]
3940	firefox.exe
3940	firefox.exe
3940	firefox.exe
3940	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exechrome.exe

description	pid	process	target process
PID 1100 wrote to memory of 3768	1100	OpenWith.exe	vlc.exe
PID 1100 wrote to memory of 3768	1100	OpenWith.exe	vlc.exe
PID 1520 wrote to memory of 1220	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 1220	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3944	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 1508	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 1508	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 820	1520	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3132 attrib.exe
2820 attrib.exe

pid	process
3132	attrib.exe
2820	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GlitchrollV2_UPDATED.rar
1⤵
- Modifies registry class
PID:4928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\GlitchrollV2_UPDATED.rar"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6b3acc40,0x7ffe6b3acc4c,0x7ffe6b3acc58
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1936 /prefetch:2
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1972 /prefetch:3
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2228 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4420 /prefetch:1
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4432 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4728 /prefetch:8
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
PID:420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5104,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4296 /prefetch:1
2⤵
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3804,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4920 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3500,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3480 /prefetch:8
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3356,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4284 /prefetch:1
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3476,i,1639669935854072798,8333158853186545408,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe749e3cb8,0x7ffe749e3cc8,0x7ffe749e3cd8
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
2⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
2⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
2⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3224 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5548 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
2⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
2⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
2⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1340 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1712 /prefetch:8
2⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
2⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,3722307245800479126,5394493584085504903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4820

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:3132

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2984

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 62981717076028.bat
2⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:1688

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2820

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5428

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:5844

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 544
4⤵
- Program crash
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 544
4⤵
- Program crash
PID:4128

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:996

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "waznenvck896" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "waznenvck896" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:5136

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:5308

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5328

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:5400

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5404

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5424

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5336

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:5740

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5420

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:6704

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
PID:6700

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 5492 -ip 5492
1⤵
PID:5936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5492 -ip 5492
1⤵
PID:4276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw"
2⤵
PID:3920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw
3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2068 -parentBuildID 20240401114208 -prefsHandle 2220 -prefMapHandle 1756 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f47f202-2cf0-4e91-bf41-4949d939cf22} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" gpu
4⤵
PID:5244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1824 -parentBuildID 20240401114208 -prefsHandle 2568 -prefMapHandle 2564 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebcd401-1f4e-4cb3-8851-13424abac129} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" socket
4⤵
PID:5536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3536 -childID 1 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 22395 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af166104-9070-4461-bceb-42b5ed387ac1} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab
4⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 23684 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f566aef6-a2e7-4144-86de-74baa7115dae} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab
4⤵
PID:244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -childID 3 -isForBrowser -prefsHandle 4436 -prefMapHandle 4432 -prefsLen 29248 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5e35524-6594-4367-89fe-d81f2b25f699} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab
4⤵
PID:3968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5188 -prefMapHandle 5180 -prefsLen 31930 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a937fb06-0198-4a39-a91e-426f3f26483f} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" utility
4⤵
- Checks processor information in registry
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4632 -parentBuildID 20240401114208 -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 32145 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {210e613b-792f-4714-9892-4eb043936a98} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" rdd
4⤵
PID:6712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3592 -childID 4 -isForBrowser -prefsHandle 3604 -prefMapHandle 3616 -prefsLen 28235 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4660338d-ed60-4bbe-9f49-b715bffa459b} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab
4⤵
PID:7028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 3620 -prefsLen 28235 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22f0a47-e11f-49cc-84a5-34d316a1f4d0} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab
4⤵
PID:7040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5924 -prefsLen 28235 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0371325c-ea49-40d6-8d50-aecfbb8512d0} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab
4⤵
PID:7056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:6300

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\jigsaw"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:6432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize
1KB

MD5
261d1e83fe6a24cdbddb515829753c6b

SHA1
ef9dce1f42c5c1f39fdcee32df1fdb22c0bb709a

SHA256
5f6369cfb52f75cf0f6386de559e5d51ddd8d854e4d68fa892a73c8c7e202850

SHA512
1515b4d4f9d2cb48f4398065e0d7ab7dcd6a86814f3ad78ebc9895e321ec3cb3ecbb1de3562a625d8f1a0560bf7841e2f67a8db8c3c11244a3e37db023e17482

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
8ec319df0134dc470e0add976274dcf3

SHA1
12573fde4f70b052e89d49f09fab4cb5b3260a0f

SHA256
7ec5f5ea699df15b80702e492ff3a39e779c8c17a2cebb4d306743b03ad3577a

SHA512
8c1af88ee1ba624375d97c53ef63eecc28eb124404d9e6cdc313bcfa4c829a3406cba0ebb7a9430c2a4edd13a17104f483aff3fdab88997ddb4b714d2b960a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
dc41422f293d724c1ee4171a46b7b458

SHA1
aec3a02fbe66c713862326a7eb08701e64b2ff1b

SHA256
9f9fd2081e21e6b8fd27374d933c2096ce272a219a3862a91746f23c9c9f6213

SHA512
34b854d077874500a370c83c463202016c6b26f78de5f35497e294a0677517bbc23443f5f714e32553022eb70a83cbb824709f9a7b4927d89ed66864fabd2501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
a78b55eaf548e9a10529436c9dc0f72f

SHA1
ac160e10109b38e4c0d3335cb8de735ae0fde773

SHA256
6fc4dc1a13e94af99f3e1610f1fe9bc16f27987e1914bc8e9fe319552ea76a16

SHA512
df05836d6d6103ceea0793418552166bc961ff68e6a2dce432e0f1ce1fcfdd97bece9130080b54cf938d752e7d39eed669beee68a12f6db65c725fe37fc0c387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
fa36794ea8d22b78d554e6973a86df19

SHA1
55e0bad4be29898ffc4f0df95f6a609ff9cd07cd

SHA256
0ae82acd5a31ec779dcc6c2e9341bcd70fe2ca53054c929e3730d885e4332499

SHA512
113101dfb31e66fc3c89bce3fc44685b735d43a57bfb9f51747b6762efd20ffcf2634c0cbb3bcfb5cc08111b62f7120945d4195f9e7d502aaa4759acc8ce86a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
709147f98dbd8b066112ede499a5ca13

SHA1
492d007ec72c07f55a4206622011d4117354f2f2

SHA256
25164eb75cca6bbdd8e125131307cf5ca2dfabe160a3608e56d95f76739a6285

SHA512
fae4403b87ad09f85c0bb780dced1183f04601c8e41b3d9dbeb0440839ed56629845709a5d15dd49188d1a245177358bc19e1d3d8f2667301ab5b7032f10f4a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1d8e6dd8b5c1ffd10482eb14a2a22f48

SHA1
1586a3711639569a4b5cd96991f8d05cb19f3c26

SHA256
b5a60bf5280ee6ee9b18d22ef7d227045cff3bc783e522e3950a9fc0c181fd58

SHA512
7fa792357dc2a55eca9563f4cb36614076632966ed7b088c47b329aafb08d50c5094741f0137cc060e926d1536bed92591a86561fac31a87736e3083d098045c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
378c2c2453da4e58f589d0f097a3de25

SHA1
1ec158988868c225349c0f18be895110884f2215

SHA256
6a813ed21e846359453cded7ac33fcecb032fce3a77f1d3786ec12f730d13b74

SHA512
eaf0bfb9709b6d925987d3a0ea58a3a24661b1e72f3d696ea923fdfd36f439a6924ed33f36881cd12f006daff76e74a4606c7adb77130d7d9c5873b79b5bcf2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9ccd9ac3a483e925ef8b95bd7841cac6

SHA1
e0df3804aec8185bc27c2c166ef91b423145b5e8

SHA256
54b1c24a8691b131292ff5b2728a87f10894b515600a3017d41e47bbc549df7c

SHA512
52cb15567fc80cfa185be86b65a51009411343765e93d832a54c3f588b330ef5bb710a2075a0a59bc8d0dfee0d431a42da7ec814706ce9b0ad76e1753210840d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ae01b3b6f4bea09ebe6c8d557f59ab79

SHA1
35387c0770dc879d7e35f93b51f30978267009ef

SHA256
61ae65eafdcfc3f4b16c2317ba2f76695f8eeb0235e658b2bfc00e15de99241e

SHA512
a7854b2e75785448e4da669db628b70ac2b35745eb0f55a05c82b5acd018e6bbe75e33886923c83e6a22b6a589bebcb5fc234903671963ccf5d3661185d0a7c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3fbbeb2834ef783e417c88c89d8c06f7

SHA1
ba0dc577c885270cd7c42f723b95d4b9af93b5ab

SHA256
134d476b3afc255a8b7738deeaefca3cf74c59359c92eafd658ce671346b3027

SHA512
465d3edd458cd8b61fd3badae22c28c213b0585afbaa3b99a5827a2d91e8509a60b9e0dd5bce2ae7752d4d11714b3ddcee433c926e32a450274595b897318e63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8be0e4a9d98608a38cbf6234286d64c0

SHA1
699e7b88a78abdc05aad56062aaac337727c51d5

SHA256
90b6debe5e3f9c4d388353368390c91dd0275c8e597c6c233eae6e464a41e62a

SHA512
74138b008f42a417dd55d271cb11da84af2b5f07f799b1d62b94cefad785c29358b0a7e9e530f72cf7ba1113f2a055d67226d5725a3a2ed86d78b55c7e36478e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
023a2be0a5c8bd16d3478991f5ed0a9a

SHA1
9dda6e0e64240f18c2c19673499d35d765cc0971

SHA256
0a7d52803e9bba27be3227a2458ec28be1c478126a93e82e1543ad7bdaa043f4

SHA512
54a64b6df316a20da52128c63ac328575f869e88526ab18e3b5228704f05fcbe51ce93b8a079a730a30b812d05c6fcc60b14a28d27c4037cc1a772c86de2dfa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
59dfcefee51a4dd57ded710359d817f5

SHA1
9632956e9245bebf64700b732959fce49dd3a76d

SHA256
5418f707b574424786d703da58ec72b9754c723dd78d5dfe74dce19190223d69

SHA512
db800f7c7a4e26588f361901c4cb10f41c96bb868e9737952e4d86541342ea26cbcbbe2c58ba281b26babdc465d228959a4746ecc38f0979f9e9966946a05e97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e0adc18cb708e21ba78286239b0c0530

SHA1
ef1fa765471cde6a2f1385509f2ebd60c5d10e40

SHA256
3654562396a6102fd8d8e18ff8ec503b1d942625cbbd98d3d4f3cc5cc5a86587

SHA512
0128eddd555dff1b49fb041299e9870f0a6fd21dfedf222e6ea7728dd78bf722c0ee1afe447090e47b9dd31ba7ab04d88c9315e8e8be4ab629101189d5b701e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e53ba817dfc177142cfef6d838914938

SHA1
af83de0e8beaf3b20730289e793093e1daa8c3e1

SHA256
85209fa8441e25f70ab27070c9ed9e25e11d18e31997b704b6609d548f3c50ab

SHA512
d3728f681332b48595e303b33fa7fa635febaeac702c392ef94d81248f3342316e2ef822f373e952411e01e77de9865ea3cf8d8936c689d841ba8a42ba6ea37e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
e5053fbb3c86ad6da6bdefbf4c2661e8

SHA1
bb0a9ee9e87a276a24f9ed96d800d360d5cc8dba

SHA256
39a3b29f9d386b4db85c3e0440cfea6eefce2f9c2ffd12c31ff39a1775595c86

SHA512
7a3f2f5f0d06f0e9968db072c95899676830d30857da8b3c6e1c97883951da5a33be9b1f050e3919a3c7776e3d9143688627cad4371984f8c856e38f54684076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
cab1faecd241a97da9186675afc6e896

SHA1
b2bf49c584fa9f1967f8581a46bf7f952651256d

SHA256
39ee24b9f93f87793e94551a38d0c268369cc701ff5c7befe86b00c13de7d2af

SHA512
1fc69143ffed2ef6dbced9a049ff0e28542f88c21214dd80a94c2f50050d8a8585e657b1163c73b7fa42f052236ee44d95fe72f1c6b4f2a433f4fc479a663870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
f9095689f7d57c9ad88ca4473d6e664a

SHA1
bfeddddc78b8f94d59cc795663deac0ebcffd319

SHA256
ce7861fc0960517ed181d6e5efda7781b0c2805ebd22cfbf58c0d995c4ce7a60

SHA512
70150e5381b78c4b04315a2b3eccb8b2a4463251674f7a8d52204d4fccdd7381c8c5425111dd73be6efaf02771acba462344a6eb55ac79d50ad17d90db593d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
6206d82710c8a4d75b552fa03a80dc51

SHA1
1bf1fc1e6a3b07cacd02ecacbd4efa42d261d47e

SHA256
3595cb2e5687ecef06f50146767c4c9ac0e512c6eb2d2291517ef1ef12a35eaf

SHA512
4ddbe73a4692cdcb0b4226500bcdd21e0f2838bef25894345369329c560027adc6971c5870509eba70d8a82645cd0e13e2c6d49870bf9a39b6e99f324a37d0a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
80db58d409381891e8faa8e93a3e962c

SHA1
9465e2c2c48b96991e1def9f0742a69653c9691e

SHA256
5dd3001b635daff8abefef7ac16a33e3c9af803d3ea75cbd5e3768ca71eebb92

SHA512
69551284f8e0a88076507823d122145336b252f66da35921c457701dd94f66bec4e4ffc626c8ff1f01ef80b9215deef63195823be686fd45f94750f4020e2e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
9bab8ecbac5ccafbe0ad0781e81140da

SHA1
fa930fb924449be5238d7e747fad53c995600041

SHA256
498b4ae71e733f082b4a4d9f3d7dffbc8b87769250c9db6250f7f340005f6959

SHA512
094781607ce319bff193143ae010bc28b72a307f1a2f07bfd21de0a43eec5c252ef35d50b4af362fe0cd090a5b2c7a2ef2550d0917b3c533f8f4ccef5f115b1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
a496a2d57e0c5d2edc0f6e63ea3a861a

SHA1
ab5c0ebc34565bff71cb90258e27ed9a0a000e7b

SHA256
3a2a01c5541de2244bc3858e2e2847ec4dc18e57825a25ba741a0eff05eb3c32

SHA512
28d4e58e027a00d1ff658f9a0d6af4127cd4d0106868ef50edc159b4dd1df3b8afcb513cffb8c4672c98ff2eea6e9578094b645d6369f90d54b46fd9e1c80c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
bb0237533e6c357b45d6c3c790cf2d2e

SHA1
eab716ae64eee5826ee9fa8d8ffe0d44f07ce1de

SHA256
417074ddd167e4f593189278187b39404eec748446fa4d456686427be34d9615

SHA512
cd84903855bee826009f52c2ac7e4522609af47ee4c5bd5bc6e04941d898eda2421558e3682030355bf1f061cdb0be76bebb1902d1d7723f398559aba109a2af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
bb3cc192b6e538c6d95cdc3e7a39da86

SHA1
4782e136be92441b95a68c4c7dd52db0b2ef146f

SHA256
c38fc6d8c662bc8121fa4d6b23d6d24fa533f2c5f7bdf49c45f4c84153544904

SHA512
c2cac2071462f99a7087cead0039750126b5e0397cafbe3251a9e0654b2085442713a5091f1e6c0b8b061a4ed51f30e75fa4678924c3d546ed9bfe7610bb9481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
acb099f208f9322145eebdab1723d417

SHA1
53d9bac6ccb8e1040cb9a39225b568da1f566806

SHA256
f431e9db8e2c457af7b4ef109709bd694bd8055fa6306b16ff46b041360a05d7

SHA512
c7adafaecc88c1b32424359185f367f1cdcf73cc944fc869a8fdcbd437cb7e9766cb0f5cff4cb750c65f9bf33e9c2427058e11056b49e0e7a5a8a0034668c808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
e56640dfbe40a67fb2e5aaa45768c0f4

SHA1
272bad7eeab5006a0d2c76cd863583a129d332a5

SHA256
4781c3d7b5c44f5d5e7085a92ada0b788142be6f196f5b1f9ccce10fe53ff47c

SHA512
afd37b7ec535f6ae3c77f6d117c289d23691e10452e26dde69c85f6514c9bc278fc1357c3cd09570a5b36660fc439a6bb52313f43ebb42df74f15226b52a2665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
56de223a8d5a4e4bb4e59165e87ee6c1

SHA1
d4569454d0c726ea92ae58e71308afb6e7c4c10e

SHA256
f2bc4d36c327bd95401506ae9850b6b0e369dbf897a9c23480c07b726896c501

SHA512
ba0a48cb2144c8760fe3e6a20068d25c8b346c481fcea9af22029b23b95009160ec7ea035cced922c6c02beae4e96f2f1a5b0fb8277a642f8fe3a84740cac652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
a805b43e8e95802af95024e9214a3544

SHA1
6a3221c68d027c7b8e3f9a4eea67110baafb1c76

SHA256
da34f0b82d32390daa68dc132f4c2876af4eae93ee6177c9ad7db9591191abb4

SHA512
128b2d7c355c0c024f9f5810b47353d45ff4dbe2c3099b8f44cd14c89fb018b7c72f792258d483d8bbcab23f27a2a2698f6af827f2976c2f7f4b9ccbcf5c391d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
95464b11227a98b45ed8ab9e97538caa

SHA1
e608d5d3c5e58c38ff3cdd94d165b7edad095bd5

SHA256
a75061da798f27f4997edaf6d93c9dad0cae8159aed7a1cd3b6d48ddc7a0d28b

SHA512
1adb7b7ff1cfd391a4c981502e04e7adc90d7faf692dac90c7500a6aecbe5e39e439b7c0708e5a1f8cd9e9e5108294945cfc6cc1ebb77817d75955038349a743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
2067f69bb743decb40708032ee398122

SHA1
57d5cfc075f31c6ba5019db402bd0707477ae109

SHA256
d1fc8a5bc4263018a4b7922046234b3e8f22c9c24ec0100cedcd1319b5febf7c

SHA512
2b43715989b66d6357d75dcf04f1a5da729861bd36b0464d96727583c6afc6586c3ee934082117ae964e6a9c79336b6b615d17b7592c8050e8ad610ee0cef69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
39e2e3e553724656ed83032b3ac610d1

SHA1
646f4b060bb49454857a3e4bff52b51dbce87289

SHA256
714ad394f6a75cf70156c7849a3e94241e8004539bc5c119546889eedbc4a4d9

SHA512
94a0491ebaa7bf5a39f34be34719a275cc79ee0e6a8ea30cccc7c162c77767e0c916ee280500652110b7c896eead4227a79b6bff70bb10a52a538e63915a37d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
12f3d77155c1f255c68f555fed15d413

SHA1
236dd2c487d0ecef4f9098ecfda003118727fdef

SHA256
044a3676b5ac7369a86987351834541f2dee98c97eaebea0d27e076472f338ce

SHA512
cc1ea05ebd34e408fd21987e6879de68fd20c928fa918e48de04558b3a3f15a698b550efa185100aa75ef3b8f2563feb08f336ce8b86975026f35ccb5047a4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
c0c5699bcceaa6df6c2a5f4c7c3c23e8

SHA1
8084e937e3f42eca79c97765fdfcf66fdf25367a

SHA256
10261ca0a87a0e0972f6338ccaebf3d1c181e2ac92852594094bcdf6e973b2cd

SHA512
0cbabe77a17b06d0d5fd7cd1a6830f0eac5f495ec73ccbc9dadba7760e66054918ccec128730271fa2fb63f552fb88fcad180c72006cd2c5c27c59f867b2b695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
3b1d73752cd48b28bbc2347b3faf3b0f

SHA1
0806386404dc9b977d0e2d859e6589f5371ee549

SHA256
ea8d77e1f8d7b202bcd69e5d799a60d6da784285ce2f0d1def9ba3b47a802762

SHA512
feff7cef5de19e81b96acf96f2b472c9a42e4eedff19d32c42f0c09ceaf02a6683d14a346522d4edb2969f8791f08e0a3d3b589668de34317890a8129311ff2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
f3ebd86477af793bef3640eb7e618fa7

SHA1
83f44156612eaf8890d5624714686e337dec2505

SHA256
0ce4bcf609eeea3b425f2c50be1fb89f18a9a6b04f35ae5a2399f2c49a2804ed

SHA512
1dd00b8de2057c9c0efe44d96b3285c5a760f1e0fdb7e603c526e87645711dcbfee2cf048ddcad0885850cd8a736ed7af386abf1264abb90787c817e5175c7dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
e2ddf12b50e1f33cf1f5475682e4be8c

SHA1
e0599b637d509f7d96f2da66dd230b304f07ab11

SHA256
532ea8cfd9fae852c98bb22356dfb68aef2e9c5fcca6a3770864b347fb8859c8

SHA512
1ff3def3373287309251482e7e3346163234aa2653ba0dac90901756ba3a1a22ab76115065f0ce020c93cbfb25a32d7e4794fe4e4c810a53408229ece079b285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
cba9a3c08b40121fc17e8ee6e3128938

SHA1
f9d2f0f09c6b136f974329760d460a396ae50d61

SHA256
fc50dca169a13f9f8849c75904a3bcfac2925ee38214c968bd7e19873d5cb96f

SHA512
caaf6fa447ff76d268af44f851334d3107376b7de6702ac585ea74924a3cd34ef057eb02371b17c25b6e62663572add16a3c7808a4c209e28d59088263450833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
fa6d1de8d2c3321a71025b19120e5fa7

SHA1
cc2cb5ddb97b60a34d1fd60e4b596766d56abac3

SHA256
d2f73194c25570d73abcb3a1219dad47bfb7a656b3b9a563b6b72da4ca9225bd

SHA512
b21ee2cbbfb996cee421e6fe5cd087954542e583676ab6b5eac2d0746d1c4436e23383032b78eb0fbb77cbf67544602b077bf8fa2aa5483b8c3339602d4630de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
56459fe33cbde962c1d252e364ddc16e

SHA1
8444dac2af33230a66a4f89bd5d8d0892b758fdf

SHA256
cbd5f3ad03a67abb94c456359da4c0c0c86fcaa3cb1fcae434e973629c956659

SHA512
fa95903223fa30273aca3d0fe7098fd8d6d16df2d111a1aac9019b5868c687f01aada562500e41f18792fb3efb46bfdd54896bb85d641803d47d5fe20408b9a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
3fddfecbf74f3b2f374cdf42f0aa5516

SHA1
259c28d63a7027b236093464590ffa0260f63f30

SHA256
00906192aecb22a5ff1a5cd0297356e4e247defa14a9da89fb00562b3e2d5364

SHA512
5d7563b94243275bbfae8fb21d7afb02267d8e8b93df9c40b1857b2815bf61d28c721f18ca0b75a27883783a9233911564ccfe618dfcee09d1edf7ac4b798e46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
d7e18950634fcda23f97cb2c82a5c9de

SHA1
65de6cf54a8eed6793fc55cf923e7450144d6988

SHA256
96c6a582e0a751c54b581c89e95a2f36a5a69b7c45d31138139ac0ca0d6012b7

SHA512
dfcace6dff5ae7b99024e08f3ac2bdb0d0ab81e18dfcbc580e694b133504e1e33f921e314f15a78eff710f925e87f4e59d5f673dedb09dc3154490b9cb40e5a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
2969792a8abb09e1c91067cdb0b7b386

SHA1
39dd1867402a6b55f4132b091db2fb16facd2d56

SHA256
84e446f47feec03fb03ca2f4cadb059ea4ebf4f3725f64f8d27883b23cb5630a

SHA512
d8303a78d2bc0568fd4201bc4280de292c510f09035d27d3b7f06a1aa40f293c6d6c344c77e77ccf3a6c6023636898fe2042a52ef0f5771d3ae9f3abd2699eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
e11064c908bcdbb0a44480b6994224db

SHA1
0210b349f9ef7adfefe253c13b3f3ff1caa106f5

SHA256
38c55370b22c1159011eac0d0be96cb778decdab3640e38dfd75e733e9727489

SHA512
2b8be1645a2d20b5847d57dfb18411ade3401cb3996d0776e20e5fe53167a042c05901dddb2a8367933e033352de19ec193c506995fbbd80727116e815f40535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
518cad07949b39c23f77bff2ef5f629f

SHA1
90f61d6ef203b1eae0146e2220737080b3d50303

SHA256
88937c682de77f6f998a96c10adafbd9885931a0f1eb95b8e4355d607b62aa17

SHA512
b15bf1d0f7c00af2063eadcb120eb8f0a3e48a77dbed20245d5747c7050808a3135d30ac5eb7d4234970aeed5ccf40b2e08b369d813c06dfa17ed004d9aa897e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
6a978d8b745bee65715d882e6b01c3c7

SHA1
72105aae8af391036b5ef3424618a11be2fb92d7

SHA256
a820f3cf03fd01ba411d5295c1bc934562b9d7304c7ab867b4b9a3ba583dd47f

SHA512
ba36b0be2feb5ca3c123cbf5c779375268bdad5deb00f8bb7329faabe15b9a85df9191f6b35e46649479a434efb4482b63975e38cfe42a4602670c774c3025bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
645011f493982dbda675cd5b0b51bfff

SHA1
fa88fe34fba2b306b88f3385c9add8a9f08a34d1

SHA256
982b8a3bd0c7c5bdf2cdaf43b3ed599862eae289e9d05a2e427bc832f4f37811

SHA512
313b59c06e68d37c005837ae0d5bec04068b09179ed44b6ac3aeef5701f4687c61bae5f24a22e05f662bd9a4206aa98afcad731f7bdae4e7922e0f1716a0c3a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
10fab112dedc829700a229a22b04d24e

SHA1
11254cc337724ff0e4b2ca16ad9e8526c394d9d4

SHA256
fa74e7e7ad48e0765af3016cffec02ad517f4228cf481d21a3e3556414ee49b0

SHA512
9fc8f8ca3fd3925deb943df9f105c4676f0ce9e0e87ae35df5dd1646877fcdc99c496b8546429d2ddfe2d6fe6cb27b9b47401210f9e77b08c3972f6dadb8a3c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
884ccd8617b38c75f72b6c00fdd86e4a

SHA1
4b8c01e469bd0a0fcf34075334d0fd3521a7432e

SHA256
2c373a4b9ae955dba633021204cea0baaf6ce8ecad497ee83e7e015028829141

SHA512
92cde082b37fcc476895d9c8db58e7d8ea3e19bee8c9494e7d74d164d5e8ca33eff36e2142a59db48527f8f17f42de017bb83668e51602021103644db2632371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
0d2ed19618acbf94b243c5baf3eacc37

SHA1
923e3f6cadaff8f6171a958a1327a322b3dcc0b6

SHA256
1c5e73224c00bc6c3cdb3afed3678873543d7eb804e140e83ad64948661a8365

SHA512
1c3c4db3dfaf5217b4a7bbf559292b5335dff765e2ea601659df9976f11ec73aef6654529f42b5993cb7f51f462167fea0136304d989a23cfe3326c69a9113e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
6bf5932f3d9f6be698312b8cce82ef4b

SHA1
4fd259b3298e0e8535b854a6c97b9099d0802c2d

SHA256
e620b60a0a9469c83eb0a756e0574094126a11a8f9f17fdda1b12b0d5039a512

SHA512
2179d3a18d050401993aa4ac2aa7297be6429911e16c0e03268e52b57b294ce9e97cc72e01f470b929a2a46441f6129869107d96880e83638da289b56028badf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
157KB

MD5
d92ff48d7fc75915877abb076dac6bf4

SHA1
8954132c8652b8198f15a4f659790f6ec200bfc2

SHA256
72b4b75e238e88a3408c86e4f749d1455445d069de304bc4759c79376518be2e

SHA512
0825b8b082b2a07a2366c4c391efd131061ddb3c14949fe48c5dd7133cc242e251d0e95c8bd277a7a39937980f38349663f5692155f94c4c1c20841565059be7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
157KB

MD5
4326179622331049f42864836fb389f6

SHA1
0684e4a6a890a0f7d8c3e8969d326d34a386d981

SHA256
c6a0d45fb33aaf932688f80c3b67989f25b761d71fd5e8c13fca5dabcc33b5ad

SHA512
0a26b47e7f229c46aaf7910755c26f738ab9162914779dd0fd4f26abe5405d7cca37781d6beac4a9ad8eb506ddea0c826cb57975feeb442f8615735ffb69a2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7ebe9e24-87f3-494d-8b44-b66fb3ab635c.tmp
Filesize
6KB

MD5
dad5e9cee269ae34a46e1a2726cd91ce

SHA1
6db11bc15807f47ed186dfbdfa8c4668742efd51

SHA256
b6ab033bb5331ffa3ce59ade745860463e1ef6a8c07555a33182f9487f170ee1

SHA512
419397c2944e6d8cb3b4872fce72531a35d9d91d02ab029b9820c5b6f5c61dd0729a8d86bbfab438c2da1206ac2384b5b78fbed5c659369858d60546473f086b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
48KB

MD5
0f2b395cc63db1bd8a5d093e558cbdd1

SHA1
833d0657cb836d456c251473ed16dfb7d25e6ebe

SHA256
f3797115dd01a366cce0fbd7e6148b79559767164d2aa584b042d10f1ffd926d

SHA512
e8a4ada76efb453c77a38d25d2bbd3a7f03df27b85e26ba231791d65d286fe654c024b64f9d6869824db5d1cf59e4d4eb662f5a55c326e5e249144ae1a66b798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
44KB

MD5
13c12dd8035a11f88f36de3b9dc964a4

SHA1
25fb02df3f77368d59eac2e7a1c59fabfe9ac9b6

SHA256
f58cce418d2df873187a718cd5a0d609c711405480c1b56f004d304107c87171

SHA512
7944f16894141495458ea9957172ab4ede54eafc76c50280075ce55f9eca941ffe7c876f2ae2536d7492da0cb340aa8094681929b96a428bf9fedfa47c8dad86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
20KB

MD5
47e0f4248c634be5cedb46bed6d81ae6

SHA1
bdc8fa7b22229a0fdceced553dad64bdf2364bd1

SHA256
bb6129dcb4e1ec91c91116293af9545c4550a78792cebbc74216a193b239bf40

SHA512
7f7352b98d26648d532b1ca8c21df9306070a7e30791bf19c9b525e2046b48d06c6cd02e70db0c48ce29e3938f3f993d9881d0421fba0232d9d46f5cd9e0146a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
59KB

MD5
4bc7fdb1eed64d29f27a427feea007b5

SHA1
62b5f0e1731484517796e3d512c5529d0af2666b

SHA256
05282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6

SHA512
9900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
150KB

MD5
0b1dfab8142eadfeffb0a3efd0067e64

SHA1
219f95edd8b49ec2ba7aa5f8984a273cdaf50e6c

SHA256
8e2ee8d51cfcc41a6a3bfa07361573142d949903c29f75de5b4d68f81a1ae954

SHA512
6d1104fd4cfe086a55a0dd3104c44c4dba9b7f01e2d620804cf62c3753a74c56b5eae4c1dc87c74664e44f58a966ba10600de74fb5557b3c6c438e52cc4decdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
21KB

MD5
ed7409f5149f77e94bcb0a582b457736

SHA1
4976bf44742d5064c3a53f3efc0bdaa90c99935f

SHA256
a50ba71d4cc17eb6fd7e5a8ceabd52e42988670597bec425a239d5986ccb7245

SHA512
bbb0c7d8ae2ce405c2c24fda26d16e8d4675e4c7371649f834cf91263e386f40989316e8b07b7d8e5442cacb1f893d3738687294c370633c16d51f30a935a849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
Filesize
65KB

MD5
98dacda0e5963458ebc5e1eaf24fc8bf

SHA1
7e806b57843268dd74d704db9170dd2b46603afa

SHA256
a114ae14eb4aef4aed440fe33d9451670164f0090c4717db5c49f64c6e99272b

SHA512
5dac472b86d19a61a63444a94b3c081d9282a5e7851e357aa0d627ec7a75ea4999b8610473a2928b73c93643797d46f0a84edf36f4903839768fc6363002af9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
Filesize
20KB

MD5
8e7b638bfec7451db22d5f6d54662360

SHA1
22c4f81a1216d4b1b48b5f66bbe6aeb7c7bee595

SHA256
9ca11ec635e88ea63b7ba633594f5323cfb61ee4499c42b90f3d9968accffc6e

SHA512
024db23141f04f898cb434c7624d23265c3c1dd702f15e40b793060f38cd4be3416bafdee02a72027e41dd2c5fba47ae8765a0e62c17665e8287eb782eed1373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
9b7b93e5e5eb7a8dd50e2b78b789016c

SHA1
5151c308aaab7b431232909c77914aecf66f6b5c

SHA256
e777d02419c9ded87d09ba3672b37cd3cb8714d0ad2c166da2f1807dc53c6ee4

SHA512
347a373624d070653bc5ffdd11eb15a003648fc68d606115603f0f4750b42808ae1051190db19db305f77aecc9ceac0a4d2380378fe2713aa7ff9356a20b8df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
164cb1b8365db0f2fb711c9fe7cc68c7

SHA1
5608299a99b9c9f021b62f20d5cd0abe9186604e

SHA256
8ce3bdfbf022078f6a17c78e0c8013ab884df93dd0f2d3ddfd6cde704a85aab6

SHA512
ec647ee17513700fc38f06558f9969af18e0f6527ee6a920b0a5964e2b2fca7c393b8e99f19ade9ee195d3f727b3fb439593096335417ea2bcfbe486bb96c963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
97f653579fa62a72dc37521fcacf33ad

SHA1
8efc34d29ea8389bee91d29bab4c8509bcc0024d

SHA256
de5da478dc09d5418240cf64027a13d81dfd1fa87e59f4c8cf1dede7192172b7

SHA512
e9c3008e46c948d2d0dac33eac3660ff4dbe6655d8b3d91eb119c2f37396735f9bf79c29814da73014ceecd4096d8ba1ee90a0554e80812140dc09e408baa243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5f857e26ccd9565329dd22bc1c5fa3eb

SHA1
cac093a4ea39c518a22076eb2e6c58cc5b66b0d3

SHA256
4b6020a6cf585beeaa7f9e6c815ebab0d632afe9a8ade8a7d47756b4db3c5321

SHA512
2e9333680b5b9dd8e197da493e8017f9ee5cfd346c98d000835230f729a22def50fac4fde1f47c850bcc4739db42150cc0988d8ab8f311c381870211be4100b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
924cf177ae8a0f1bbe232ca6da950c26

SHA1
224a7e03e34c9a9474b0850bec02f5d32968f45e

SHA256
bd7f1017ac9e64f78a81bd2ec35d5d59346083815e545df9e9f58c8d6c51a17d

SHA512
6ea3afadb0d5041d2b7e720de5398fb845f69f3bddc82d50f4e3c114c2d3f68b9acaa1c8b525d980b0111c2261f3197e7e68eb8ada3b1d556ad1b2488ee6252e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
84fe6a1e54cf74276c268a530924deea

SHA1
3ef2ca269c6d4620cd22307deb094821a639ade9

SHA256
881dabe77b66bc57c4ffd592cce600bac0e9e77508f4fe7f15d6d5e3df47d09b

SHA512
1b2d5444e141a2c31ca637ffc107705f039201afc690797e6a8106a00f3fbffe56a371342bfbfbbdba7f22f618862397e95e4d6e09baa367c2d9b602407a1535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
772df7d08d05cfe0586f3c7999f99770

SHA1
3d6cabdf061b27d2189b8d101ce06e0125a398e6

SHA256
2740c5b6aa574dffd9acd2047655dfd624ea334a586a60919d69dd2249e40922

SHA512
145dd3692c22b7ddeb92fcd0af1e630402dd581bf6d9ec12ff1a59da9683d0ae5a3988c90726c2cd8f580b9422d53c22d3587c7537cb3274466a5178b5908d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b287fe3d689e33fbff7ff50b39e60d65

SHA1
2178f1b2ed355d6db5f2c47bf0da64f7cd8506f6

SHA256
183a1109a91ee49ff889a6d8f0895fc99858699a89a3f548e0c70784e1db32e4

SHA512
e7a55088e57a8b649f46307c1d1496f49e711f5fb5d56a140b08bb661caad45608ff4fa49bf2586575961eb9aac921afbfc2ebb013d930aaff124801c6fcbcc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bcae183f5248d98f3fdac27f4e9d1728

SHA1
961142fd79a0c59281d7fffe68bd83a7de06a8c9

SHA256
286a1ec54ffca0ea013749704192bb830b50fb315d12c758b927f5e7556f0565

SHA512
f33a055165767e1437796fb0e94031b402e793c7e51192167ac70500a8ee4565af20bf58438aafc7b7dee9b55067796e35486ec50912834bade734821da6df89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
97c1b31d924ebda06d0dc1b907bca903

SHA1
f05b8bd55cca1728f6bbd4a401eae73f3152c0d5

SHA256
f9b7bd838daf24f248065f4680e558e2a3e15eb78bf7c6372b6dfd899c7b7735

SHA512
12aefdfd66b33fd69be3778d221865a151d7c70a7dc1ccefde6a1f46b307c4d616b090e750cb705228936581e516f29cbd5100bb87714e372f58dbe495e3a228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
40f2326315f8672fa2917a235b1e06e2

SHA1
cc05b19ec8019816da41889d0a430a4b8fd79d1c

SHA256
263282f44765baacea02b6b783c27fdcf7d471fcbdfbb07dcbbe2c66de80fa53

SHA512
89d5489eafdbc72eec500c1b91699b4f1dcc09e5309bb71bf5a02140395bd9ca290f59fed8e002f91aa75f4072191508bbedaf9caa9bf55524c869bdcf7711af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f04898dd05f8321871866b1c97ca7f6a

SHA1
6e6575bcecdcf6c58744434d409cbc5044942108

SHA256
2b0af68f0890882f8899b7d5028f6b6a446d7eab46d748e07d046f10c8722305

SHA512
76cda6bee8281613654abaff2516367071319bba37a1dd14861eb80d90e94e9bcc6df317ca2f8700dfec6b5d50f86cb6b52a56b7e641345c05aedd7322558dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
46a71020b75dbe7a3d0865bb5a78dd5a

SHA1
da1af8222d364872e4d7ab390458950798b41237

SHA256
59a446e906c29068e3648e1dfc2e4a5fece4cfbacc0c7537414ecd2fdf577f6c

SHA512
dd7cf5aa185108f31629cddd63011fc7dc936add45a94bc1f4f2c23c028a8e5c1b38a8746390aa4f0b6b7f7073cd8e1a1434c9079956d74f4e29a773a1ac8e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7d1fad3ccd8b343d61126f55d91b7d68

SHA1
74ff9a78f4e34514a940d97f829a5daa9855901e

SHA256
508ada620f3877b1fbac64932366bd134ac61ec18801a62436b43190095d24ee

SHA512
8f96cedfb2d7aa1d1180c6bbb6d2699b01bb1f56071d614d81a7aeb3b297268737c330f74d6664759d1f705ac1f8634fd8a465daa0ccdf3c211a66889a83c459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b0fac.TMP
Filesize
1KB

MD5
2bf3f878f7a982855908467be11a2f41

SHA1
3d4444fed0f675daa37c2e2b89297898ad98b03f

SHA256
61d5ad7de2cc892a2457f524358fcfbeaede07bcd0224e2773835b62b7f39066

SHA512
d969c9725606ff1dbc5839640820fca3257983a9251afe08cfb2c8584b5a2ce8dc70398e13da964769a7878dfdfa76c319cc022fe9a4251020562aa74c182967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a17801c51ad9e7faa6498af188abc2aa

SHA1
efc549437cec79fa46cbcd9c118156224731009a

SHA256
937bcbcc0a3471520017aa606043f5bdb37b597a94942d4f70e6908939b50801

SHA512
df89a2b69a637542eebd7017ccff357b26b5359a2e10f3601f502ca709ddf950f1ff8ca6b97c8f7f2115fd9bfa49fe115fb687ef2b442f099e260a0b108e66fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
97344e7f2b2ec6c6dd4bf72e10079d4d

SHA1
db56c1923456e568464142ff4d63d8b0870a09af

SHA256
70a1c7a4184f4ea518b40de5602587beca6fa18990216cd42b47d4418cc743f7

SHA512
96b9d8c8700c4d083cd3ea61601316693dae2661613d44ac90e33a32125102295ab852ca2f48325e7a7e71db3afadd5a7aab0f9e25f78d8a1751298bdf76e3f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d439e9a6715d93b5549ee0709321f720

SHA1
f5c1c6a6a892b24484724149bdfd3583ae86b2e8

SHA256
b84c895ea919a3b8acecb3e2986f1c9e96cea5157ab345dda44839f3de47f754

SHA512
e715db5764d16b06313fbd6e98177591ec9f7ccc95ad174b60cbbec198d5363c1942a9d0943a6abd573e0e5d1c5f5f9d49b5fdf264457265197dbe7688c0611a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f3ef2a604b42f030bcd5cf12c895235d

SHA1
f105a1eea02e9889e52db7f3e83dcb1ffc0d5023

SHA256
6c31ee2e8f54069c07334a4039607767435b760774c921d9f9ea2d6771f44b7f

SHA512
8a343b0e2f8006f090371e1962a5ef4798e9e955bdeec6461293a29fdbd7006bf17d4a7090ec912e06870d8fa52f82573acdce7d30b693a1b04ed7fa82b7a865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
afe857fc9142cff43d137cc4f6076684

SHA1
5f664dcc810b3c2d48a5cce299c0369186f03922

SHA256
7e528980eb3a56454e5405e3d6485b5e595e2509d0355853bd2578e54c013260

SHA512
770915da2514573099251d3738373ff8fb3a3282e6f7ffde3ae0a9da49a9afbeeca5aa2660f68a9b3dda9e106215f808ecfaf6b508a1539ecd38f7f501adad96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ab10db7c6542ddd3321ce625b1f142dd

SHA1
ee6c730c5a493282f49b29602b62c1a031efcc95

SHA256
9a506326f808f8240a2ac63d0b2c054267a97e488db93ec4acf93b715c80ab89

SHA512
5aa72e78864c84260c59f0cf543ab0cdbc71494f409c51da2fdf94c99a0de209d14faf4857b03f83ee6a1edc53e601bbea2b3f537658e497c5d3ca00253cbf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry
Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\AlternateServices.bin
Filesize
7KB

MD5
7c54ec2c4b89dd0000fd6373e0db923d

SHA1
c0aaca28a2b30efac5d2fdace4c8060ec3a73fef

SHA256
c006f8db4e78037e860b47395e40d53946c67d198fa822ec6f073f3835bfbaef

SHA512
322d467ef82cca950cb29dc841594919a7e270eb383da2b59ff840639d3cd46a80e2a8345e16fe4dd06f49e7763a1fc83988196ba149c2fd130f78758834dd9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize
6KB

MD5
f6f0bccd14b96d4fda868a2c797675b5

SHA1
f52b83f6b30a666fa79c4d12b5637ffe04ec0ef6

SHA256
a59ae61069612e1c6466100359abda63dc4dc65285a53df3bedc918229fb4820

SHA512
5031f4349b05685f5016baf9265f09450cc1f1ed15f25668bbd32eccc6326b6a390b3528de30a12d0b16a62ade70bf2c69815dc7e5e9a23f6efdd32d0d4f4860

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize
6KB

MD5
47b78e16d4c1ef61fbc8791fb96cfbb3

SHA1
77e54166246ff20769ab2aad96240781ef713bcd

SHA256
6d8e136a685af6114b479d148459a48464b357e5d87caa00c168875bfe3378bb

SHA512
aea87ef1c13496c49d060ec141d5e098ed72253e3ac7fd3035217613f92f01e3106619ab78c5481a37459661d7033f2580d22a7e1f51cad66f392d78c82ac114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\9e1d377f-d15d-4327-95bd-9bcadec16bc2
Filesize
25KB

MD5
0d709a181c9e78f0bbad790555d26822

SHA1
57bbb7eab95093f575ea515fbe62ba3b3bfeb06a

SHA256
ace6c2e89cbcbd75fedb12dc6c23e126d490d8dbab41d9bf3ec1fcb33de49af5

SHA512
b19b0bea2aaccb9a3e191227e81d3cc759472f2c8879443c0d1f4d1ab0a23feb03a3b5cda1d9ab16f4929ddee0a55c5f9bf4cf52ee0cad1a68d9ae7026a3e389

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\9fa9f882-040a-4d44-9ac1-54bc045e872d
Filesize
982B

MD5
349ef963b314d06eb8c92c24a19d1d5e

SHA1
7e4a593ab0f491793d52d01934295820b820e646

SHA256
071fdad201f3cd76ce66a5a027fbc4b45fbf8945d8bb7a96ff1850d8dcdb406a

SHA512
ccce005cd9da48311e0c9008e6708f3703836d04dabe5362b5c35a2241e34e2293e0be3237caa4b1cd446facfddd1cf709d9135996595032de58bdc1f23c0e5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\d1560aa6-d324-4cd8-a7f7-35ec21414664
Filesize
671B

MD5
11f38f32f9b6c029c0ff00fd8681dae8

SHA1
a0f04a7a96aa5afa0560d9e791359bf8d47a8115

SHA256
05f59d35cbf90a86f8d16a58b7874cff9790f8dfdfae00f193f4c955e0b3be28

SHA512
e9fbcc337bc8614394bc461bbe44d0fb960c52a94184ed3f966fea3503a699df41453b4b58bb235f0f29ec6d680e7393a374152780b2e2b65b2a62dbd8602484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\extensions.json
Filesize
37KB

MD5
05fb6416c031a1dc85998a3e6b9f8e3e

SHA1
58d45f592317280898ce821407be6520ebe87981

SHA256
fa25114d3604682b1f2d0b78a4f34a50c32cdb1fbd4e9dfd81110d627e1d04e1

SHA512
9292e6a904ef9ddba3a995a35217580adde3270d3a1ec69334e2ee004b4fb4f7c86d9341463a58af238b68fce961576176f0a48a599e2148a86aaf0119b12850

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js
Filesize
7KB

MD5
ababddc4e1115438ee301d5405fc3357

SHA1
ea61f4c1f4bbc66d370bc4f99b4e6fd82c1051a9

SHA256
060fc4e58b67ac9e2f51014ecd8ed02d16b98a8194f1ea8fe70f6f3bd7204754

SHA512
6bcf0532ed2e8f7e04aac675a4bed96338ec53fab1edab1ca5607a5684c86096f6842826df0cd0dd683e2fe2f0f2867bf1f0e058648a668c24a82c8df4847277

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js
Filesize
7KB

MD5
4bd87919f95d72fde754f4f183708df4

SHA1
61a54015fdcea8b0c655c514d0defd316e5a5cc9

SHA256
3458babfb3c5a5e2520f697b7b7f15bf8766c358303bb9aab78bc2a9ffe011fe

SHA512
2ef7026492c81e0d26ddc96ccb1d456bbb06c684f251c454101befd08a21d7d78641d719fe405610f6a9d4f4c9645392721bd3360b87e20e8917011541331422

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js
Filesize
8KB

MD5
73c0077fafd54c1ea7991a5f97d5fa2e

SHA1
1e4e2773c48117fb83fc23edf1c7d11d8724c147

SHA256
0e8be53823f59d0d4c73f617c0c10db96212c5e8d16f77df744657b2b8d2bdf6

SHA512
b86abe88a458a8864798192befc95ea3f00d286137f81ea21f805c3807de50743d925f364b0c5e5821d5670a7480af7d777c56897de72b68915faf976ad0e3c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js
Filesize
2KB

MD5
33d60cb713de68749ae3f0348e9b18f9

SHA1
f608c46c094691da89c1e1738c2bc77293fe0b42

SHA256
d559c6cca72cc2ca9c1a9d1e1ab5f72e8100e3964666286e35f9c186e1b2544d

SHA512
ef77083e40072d4c8ea9545a1e5357ecc3ee21c579b46388aa8075a00b9736791e6ad2473c6e1f2741e176d85222ccfe5711dc435e394fc31bd46dbb1f28c65e

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
18.5MB

MD5
2dfb5139de4fb852bb67cdaef936cc2d

SHA1
b01aa35012f83d03999313a8c4444ae30606be98

SHA256
e740c75d8a4ef3bad1f10b22481803297174f761475caa12f948b25653901b84

SHA512
76f21c9220a3e4e585036658d966b15ec7b05c6056d273bf284fe3c76bc01a996c8eed457b915a12b8d1fac94e1ce731e81dff710f13233200721cd43f23431c

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp6432
Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip
Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip
Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\jigsaw
Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
\??\pipe\crashpad_1520_OARYHEZEETQZFBIW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3768-15-0x00007FFE594B0000-0x00007FFE5A560000-memory.dmp

Filesize
16.7MB

Download
memory/3768-13-0x00007FFE6F1E0000-0x00007FFE6F214000-memory.dmp

Filesize
208KB

Download
memory/3768-12-0x00007FF6AFBE0000-0x00007FF6AFCD8000-memory.dmp

Filesize
992KB

Download
memory/3768-14-0x00007FFE67270000-0x00007FFE67526000-memory.dmp

Filesize
2.7MB

Download
memory/4820-1327-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5604-2596-0x00000000738E0000-0x0000000073AFC000-memory.dmp

Filesize
2.1MB

Download
memory/5604-2572-0x0000000073CD0000-0x0000000073CEC000-memory.dmp

Filesize
112KB

Download
memory/5604-2660-0x00000000738E0000-0x0000000073AFC000-memory.dmp

Filesize
2.1MB

Download
memory/5604-2622-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2628-0x00000000738E0000-0x0000000073AFC000-memory.dmp

Filesize
2.1MB

Download
memory/5604-2522-0x0000000073B90000-0x0000000073BB2000-memory.dmp

Filesize
136KB

Download
memory/5604-2519-0x0000000073C40000-0x0000000073CC2000-memory.dmp

Filesize
520KB

Download
memory/5604-2708-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2738-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2590-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2523-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2654-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2571-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download
memory/5604-2574-0x0000000073BC0000-0x0000000073C37000-memory.dmp

Filesize
476KB

Download
memory/5604-2575-0x0000000073B90000-0x0000000073BB2000-memory.dmp

Filesize
136KB

Download
memory/5604-2576-0x0000000073B00000-0x0000000073B82000-memory.dmp

Filesize
520KB

Download
memory/5604-2577-0x00000000738E0000-0x0000000073AFC000-memory.dmp

Filesize
2.1MB

Download
memory/5604-2573-0x0000000073C40000-0x0000000073CC2000-memory.dmp

Filesize
520KB

Download
memory/5604-2520-0x00000000738E0000-0x0000000073AFC000-memory.dmp

Filesize
2.1MB

Download
memory/5604-2521-0x0000000073B00000-0x0000000073B82000-memory.dmp

Filesize
520KB

Download
memory/5604-2746-0x00000000002B0000-0x00000000005AE000-memory.dmp

Filesize
3.0MB

Download