wannacry | e46d669202569d23a377958fbbbd6efae4d90a2251033095669a5fea4d481688

Analysis

max time kernel
451s
max time network
452s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
18-07-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry_ransomware_attack.html
Size

429KB
MD5

c01af42ed6d1d1fb865f266124533dba
SHA1

90860f160ade023ffc6171f7cebaa399b7760995
SHA256

e46d669202569d23a377958fbbbd6efae4d90a2251033095669a5fea4d481688
SHA512

cbb679ce9957d0a3895fa0ea6377fba71da9de4581a188b393dbd3ae89efe2746182b12a5f2240a9abaa83ddf860e7cce111c0328933aa7811ccefb759ef3ee6
SSDEEP

3072:P7+1l16LFIaZUynffVCMAul/cb9nnjtJd17X63cPYWk31KYsA30Y8uyvt2a9DJkQ:CCbWqcv2plKx7BPavWXDfEIfP

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD914.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD92B.tmp	WannaCry.EXE

Executes dropped EXE 41 IoCs

Processes:

WannaCry.EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
4336	WannaCry.EXE
4704	taskdl.exe
3452	@[email protected]
1088	@[email protected]
2068	taskhsvc.exe
3864	taskdl.exe
2976	taskse.exe
4740	@[email protected]
4756	taskdl.exe
1672	taskse.exe
3756	@[email protected]
1664	taskdl.exe
1596	taskse.exe
1232	@[email protected]
3724	taskse.exe
2392	@[email protected]
2016	taskdl.exe
2004	taskse.exe
3856	@[email protected]
2268	taskdl.exe
896	taskse.exe
4704	@[email protected]
3720	taskdl.exe
1056	taskse.exe
1756	@[email protected]
984	taskdl.exe
1768	taskse.exe
2760	@[email protected]
1460	taskdl.exe
1620	taskse.exe
4688	@[email protected]
4200	taskdl.exe
5856	taskse.exe
5864	@[email protected]
5892	taskdl.exe
5140	taskse.exe
5260	@[email protected]
8	taskdl.exe
1492	taskse.exe
5732	@[email protected]
2944	taskdl.exe

Loads dropped DLL 6 IoCs

Processes:

taskhsvc.exe

pid process

2068 taskhsvc.exe
2068 taskhsvc.exe
2068 taskhsvc.exe
2068 taskhsvc.exe
2068 taskhsvc.exe
2068 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1592 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe

pid	process
1592	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcblfqtt614 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
34 camo.githubusercontent.com
35 camo.githubusercontent.com
39 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
34	camo.githubusercontent.com
35	camo.githubusercontent.com
39	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

Processes:

msedge.exemsedge.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 8400310000000000f258138b1300444f574e4c4f7e3100006c0009000400efbee9580786f258138b2e0000005a5702000000010000000000000000004200000000009d8b750044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000f258978a100041646d696e003c0009000400efbee9580786f258978a2e00000052570200000001000000000000000000000000000000b30d5200410064006d0069006e00000014000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3637748876-3197268895-3385380113-1000\{9A985581-429E-42E8-8EC4-DD9937263AC3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000f258978a1100557365727300640009000400efbec5522d60f258978a2e0000006c0500000000010000000000000000003a0000000000b30d520055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3344 reg.exe

pid	process
3344	reg.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\wanakiwi.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2872 vlc.exe

pid	process
2872	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskhsvc.exemsedge.exemsedge.exewanakiwi.exetaskmgr.exe

pid	process
1792	msedge.exe
1792	msedge.exe
1396	msedge.exe
1396	msedge.exe
1760	msedge.exe
1760	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
660	msedge.exe
660	msedge.exe
3412	msedge.exe
3412	msedge.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
2068	taskhsvc.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
4176	msedge.exe
4176	msedge.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
1688	wanakiwi.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2872 vlc.exe

pid	process
2872	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exewanakiwi.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4408	WMIC.exe
Token: SeSecurityPrivilege	4408	WMIC.exe
Token: SeTakeOwnershipPrivilege	4408	WMIC.exe
Token: SeLoadDriverPrivilege	4408	WMIC.exe
Token: SeSystemProfilePrivilege	4408	WMIC.exe
Token: SeSystemtimePrivilege	4408	WMIC.exe
Token: SeProfSingleProcessPrivilege	4408	WMIC.exe
Token: SeIncBasePriorityPrivilege	4408	WMIC.exe
Token: SeCreatePagefilePrivilege	4408	WMIC.exe
Token: SeBackupPrivilege	4408	WMIC.exe
Token: SeRestorePrivilege	4408	WMIC.exe
Token: SeShutdownPrivilege	4408	WMIC.exe
Token: SeDebugPrivilege	4408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4408	WMIC.exe
Token: SeRemoteShutdownPrivilege	4408	WMIC.exe
Token: SeUndockPrivilege	4408	WMIC.exe
Token: SeManageVolumePrivilege	4408	WMIC.exe
Token: 33	4408	WMIC.exe
Token: 34	4408	WMIC.exe
Token: 35	4408	WMIC.exe
Token: 36	4408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4408	WMIC.exe
Token: SeSecurityPrivilege	4408	WMIC.exe
Token: SeTakeOwnershipPrivilege	4408	WMIC.exe
Token: SeLoadDriverPrivilege	4408	WMIC.exe
Token: SeSystemProfilePrivilege	4408	WMIC.exe
Token: SeSystemtimePrivilege	4408	WMIC.exe
Token: SeProfSingleProcessPrivilege	4408	WMIC.exe
Token: SeIncBasePriorityPrivilege	4408	WMIC.exe
Token: SeCreatePagefilePrivilege	4408	WMIC.exe
Token: SeBackupPrivilege	4408	WMIC.exe
Token: SeRestorePrivilege	4408	WMIC.exe
Token: SeShutdownPrivilege	4408	WMIC.exe
Token: SeDebugPrivilege	4408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4408	WMIC.exe
Token: SeRemoteShutdownPrivilege	4408	WMIC.exe
Token: SeUndockPrivilege	4408	WMIC.exe
Token: SeManageVolumePrivilege	4408	WMIC.exe
Token: 33	4408	WMIC.exe
Token: 34	4408	WMIC.exe
Token: 35	4408	WMIC.exe
Token: 36	4408	WMIC.exe
Token: SeBackupPrivilege	3360	vssvc.exe
Token: SeRestorePrivilege	3360	vssvc.exe
Token: SeAuditPrivilege	3360	vssvc.exe
Token: SeTcbPrivilege	2976	taskse.exe
Token: SeTcbPrivilege	2976	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	1596	taskse.exe
Token: SeTcbPrivilege	1596	taskse.exe
Token: SeTcbPrivilege	3724	taskse.exe
Token: SeTcbPrivilege	3724	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	896	taskse.exe
Token: SeTcbPrivilege	896	taskse.exe
Token: SeTcbPrivilege	1056	taskse.exe
Token: SeTcbPrivilege	1056	taskse.exe
Token: SeTcbPrivilege	1768	taskse.exe
Token: SeTcbPrivilege	1768	taskse.exe
Token: SeDebugPrivilege	1688	wanakiwi.exe
Token: SeTcbPrivilege	1620	taskse.exe
Token: SeTcbPrivilege	1620	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

Processes:

msedge.exetaskmgr.exevlc.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
5964	taskmgr.exe
2872	vlc.exe
2872	vlc.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]vlc.exefirefox.exe@[email protected]

pid	process
1088	@[email protected]
3452	@[email protected]
1088	@[email protected]
3452	@[email protected]
4740	@[email protected]
4740	@[email protected]
3756	@[email protected]
1232	@[email protected]
2392	@[email protected]
3856	@[email protected]
4704	@[email protected]
1756	@[email protected]
2760	@[email protected]
4688	@[email protected]
5864	@[email protected]
5260	@[email protected]
5260	@[email protected]
2872	vlc.exe
5532	firefox.exe
5732	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1396 wrote to memory of 1516	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1516	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1580	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1792	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1792	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 568	1396	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4808 attrib.exe
4920 attrib.exe

pid	process
4808	attrib.exe
4920	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\WannaCry_ransomware_attack.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff82fa93cb8,0x7ff82fa93cc8,0x7ff82fa93cd8
2⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
2⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
2⤵
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5260 /prefetch:8
2⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5336 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
2⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
2⤵
PID:1576

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4336

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:4808

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1592

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 180201721323244.bat
3⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:3056

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:4920

C:\Users\Admin\Downloads\@[email protected]
@[email protected] co
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
3⤵
PID:1520

C:\Users\Admin\Downloads\@[email protected]
@[email protected] vs
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:2256

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wcblfqtt614" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wcblfqtt614" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:3344

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1460

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4200

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:5856

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5892

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:5140

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5260

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4764 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
2⤵
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
2⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
2⤵
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,9323111337163648545,11380708764229172329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Users\Admin\Downloads\wanakiwi\wanakiwi.exe
"C:\Users\Admin\Downloads\wanakiwi\wanakiwi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1592

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5304

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5348

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5964

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2116 -parentBuildID 20240401114208 -prefsHandle 2040 -prefMapHandle 1800 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {feadb710-15f0-44f0-ace2-d8b0392662ce} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" gpu
3⤵
PID:4088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5dbe447-aa76-491e-8e18-9e0a9b6693e2} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" socket
3⤵
PID:4044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3568 -childID 1 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 21286 -prefMapSize 243020 -jsInitHandle 1384 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed90092a-3085-408a-9b5f-128765313c62} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" tab
3⤵
PID:748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 3500 -prefsLen 22668 -prefMapSize 243020 -jsInitHandle 1384 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1624e64f-8df9-4be6-abf8-4f27395ddf70} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" tab
3⤵
PID:5920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -childID 3 -isForBrowser -prefsHandle 4504 -prefMapHandle 4500 -prefsLen 29096 -prefMapSize 243020 -jsInitHandle 1384 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f9d407f-127a-4133-a07b-f667e6a5165b} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" tab
3⤵
PID:5028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5156 -prefMapHandle 5152 -prefsLen 29756 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cff3284-875c-4c5a-912e-dfbaef9431f0} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" utility
3⤵
- Checks processor information in registry
PID:5200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -parentBuildID 20240401114208 -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 30166 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {482cdd75-4e56-4a5a-ac43-a0e5886f95d4} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" rdd
3⤵
PID:2324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 4 -isForBrowser -prefsHandle 4296 -prefMapHandle 3744 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1384 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20e2186d-0c56-4784-8cc8-64fa819260dc} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" tab
3⤵
PID:6104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5772 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1384 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92e02848-d373-4f75-814f-9b23a54f8b4b} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" tab
3⤵
PID:6004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1384 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d05799-13ab-4b7c-8e45-1ebf292973c2} 5532 "\\.\pipe\gecko-crash-server-pipe.5532" tab
3⤵
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1998107017edc46fed4599ad24cfe53

SHA1
47e92f0646f0de9241c59f88e0c10561a2236b5e

SHA256
cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa

SHA512
ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21cf39beee4d807318a05a10dc3f1bf3

SHA1
01ef7fc09919eb33292a76934d3f2b5ba248f79c

SHA256
b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939

SHA512
0baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
78b45f66500680832e342e6fb8f0c7a0

SHA1
457528aace12ab0b6487a490d7b8a6adb13dc8f0

SHA256
5cb9b5d3fb0be382aa00936369c7589c938a438c3942c9883072dee465458c00

SHA512
6c1aad5408b7c02a828596f5030fdd310b78b79dffdf3b3dd997aa26802b55026bc18d7fff44a0e3fadef8087b43964262a9894fd4fc06de1b229bbc6d3b2b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
23KB

MD5
ed239671d609c66bdea1297bd11879a9

SHA1
7a3ece813c6df65cad259a070a4cbf5bfac5e7a8

SHA256
fe320f1c5b67402aa8fede269a0a6d1169b478ecb4104acc79c67cbfab06cfe4

SHA512
018ac5e9e86728e6577fe9fffb254e8fe51efaaa50bcfff0a8c2fcfc21ac20af55d92b837554c3e419e47f5a8f226fe1e1e5702eb710c4c1b00b00fc9cbe3576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
18KB

MD5
e235dcd374dc9e106cde525efb947376

SHA1
10d37a8228d6b730f6677b54cc1f4cfb3ad4254f

SHA256
77a63cabff4feb0ce7dbb4a9e8f99ae34603a97bfe6191b62ab537401034bc8e

SHA512
ac0647bde896311c40773cc93e9a5e099eb31f5be82b507c173d6d7d464f31893062bf3d577e4e287f6f5135eaef07bf42102b0dc9551ec4f9db962d8fd14bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7b9be6adefc302448aca8d3e7cb9804b

SHA1
a6c65db6db12f4ef898dcf5bd76e9ae9bf3e7926

SHA256
39ff5a9dc406232d4345ace9bb5b51f3d2dab3a2ea317503fba7686c77a0ddd5

SHA512
11178bbdbb2686e129fc77bec8a32834c8e3bc4e8ba5aa1c912f80b873f406137248517210d82a20a99989000d5d1ba61c501c798c62cd5e52739f90c2c7a763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c22862555aa2a083c1bd15464f9345f4

SHA1
261d0a5736c8ee44dc199c2a7ab403d0cc82b794

SHA256
6339f770334ffb842dfc295119017501cc6b4590356931d34092048aba06bcfa

SHA512
61c0df5bc5d24cc3a9aee742e3095b2c43199c6cda377c5744894f9e469a6f1892d4e2f5f1b2239a4fb5fa4277ea5933f2ba90f5c24b0482d42c7ed86e2820a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
41bcec46dc8da970e118e51ca2f244ad

SHA1
7b1425f80c129a270f5c3b2956508533a48da1f7

SHA256
9bf8b02f16a586f134f7c1a86e44e6801f8377d4c3e9fe5d625c07e9e7809dd7

SHA512
daf3f9494245542a9c6826d83b7129fcea2df159270a708206cde368b52410d34d86d0b5180ed0ab4d6669e80c51d482f82befba5649a7ba69460d92ab0b3884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3294abd74b80d2b1c38b14bb7f5fc551

SHA1
c656d0e70b0e2bae5e4b78b6f2047913c801d763

SHA256
4cf207197f30d1b4ed722664209d94cf57944b28caf54d25670438812338b732

SHA512
de71644ce711a90bd1f6a1bd64733ec12c55712637b32b27179ed77599e3432e5e2af03fed1eb528642ab46fd6ac0fe77ae0ea2a3e008660cb43a13fc2104972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
880B

MD5
1ca8a129679add25305901438a74c66a

SHA1
9f350c1b6c1175ffdbb8f190fdf6061298d6fc42

SHA256
8192f9dfeb362d15a3a47bd2b9ff0ac034aebdbaf53b2a288213274802defada

SHA512
5bc0af66bda04cd86df48ff5a758f8c06cfa1b589beb8a4a8d5f17d073ca190ce36577550d5e0356df7d475203b2888f3a1b99c41159faa42179e51e569617b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ecd3e48158156353614db4f58e46e6a3

SHA1
6c90736c489067b945b351807be44ff19592878b

SHA256
fc99ee1972d79fef939049751bcbd7c9d0b0a568771cf670fe15a36c280724ae

SHA512
6bb7efbaef37fc177bc6d0852b9dd4decc7da4a4a8de72779d42885ef660dee063c40a896c8851e52cc8025c904bcfae330c9d4e87107ba6cd34203ae56bd31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e3f65002ef78bea9cfbfe8b72b4c5270

SHA1
ddb8be07199bd202711d1c21aceb3af47654b31b

SHA256
eb19c99c7ad7398a367c12c78d32932a99d7b43984c7a95299f659d8e7cb190b

SHA512
6348babec76e77d4a3992bfce192ac054b008433e9df43d09a8b2fa4d9715ff51e56822bf0e5d3aea23b208dfea1aab9b4bea530df25ea0a8a35b672795efdd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
69010d26156b4380710afd988f16b668

SHA1
f161f870011b9f343563f295251fe377c0ede25a

SHA256
4177d396db323562698eb2fb8469b1680b19ff303150b8fc504c8da5086c5cc2

SHA512
94d57fca20b85607a3e7cb09e390a00836f353b7159b5873fdf8d7428611e38a42cd9dd795ff782c57bf4b63a15fea9ef9cac9199ad5635ce71ac1d57c88d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49f3ed5f305db6d593e0992e1d2d3fc8

SHA1
98198c582862c9251ec6176c3c1a2642b6681a52

SHA256
338c795ca8c0c675136e79620fd9485d6af6477ce4df3e7566d6a3db3995529c

SHA512
c79f6b935f43f172a88c4d4c83c20c41286ae3e983190257debf01f0fbb930d6449c94fc72e45cf1b905b782ec1bfb8fc75819b64d8cec83b3ffddd11a4ff04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
8d27c45e28f5496a3363f6d213cae3d4

SHA1
a4465c6b570bddca5fbdd2c12925dc8cde186fa2

SHA256
f656816946732998fdac654fa52da75dbc6e68140ff696a184a763720d5bcd0c

SHA512
5770ef26eeb8ab9101e60191cb722af0abd41896b5f03fbba1b214451ba32716f95e5ba1e2ed04cc3b83c8b668c9dc974d9dd720a7b2aa259dd441268df22a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c9b3e904da3b6ccfd1b3065ebee0b3bf

SHA1
7665b504d389171b3138546627f214116f06dc82

SHA256
3c9642952f0504cd73b0ffa3c8495731891864fcb599d4550d302f0b4e3f4051

SHA512
e54bd14701a74e02e9c41552ce264c3bcc7cf219f71285b0af08d42066d1a8933981bb9445e217cedd7e8c57dba81be7d8025fb3ef9d1059bab2248101410704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
70f7f49310da1f07a9a60d352c53ec3d

SHA1
af86788da68df375008371c971d9c1907ca30dfb

SHA256
92592d11ef6b2fc6e3dc6214c6b9a14b3810988eb0864a10d634177cc0b81d84

SHA512
ab4179cbdac97e0c3c0411624ecbd4094f4f21ea5350e2d3fc323d92d1320ed0313fe8cfd7528dd985c420490ff9044f5f61350ba301c9b94e4d5f688830db53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e0137f594bee4dc8904c58fe02545d7

SHA1
8068c7598125b2213dc9241fad51d7299af71c3d

SHA256
2d2218b1ced70fb175ab10ba744ca31e18524d669f0d462acbaa643282cdf33b

SHA512
7aaddc3e274d97e8bb71bb5e138d8639d0edc7cbf8b26ed80d0174927782785be9296231cd153ac9d18570eb9965cf1a3b50fc14492628518ccb3320199cd211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f0e695ba405ef1da507194c677e54942

SHA1
36854303efcefcd002f518558502c786c8d7c63a

SHA256
c702285c280be6f1b53210e61214c79a868f8c7edd71602f8730585f61b9543a

SHA512
d7c772fe58895677b4c285a6bca18a7e0dea852f3ae6f5d4f4fc98f2d97190ab4268cc8b70bf512b32220a706f09902f7a0532d5ef4d08b34e9d020caf709c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c6ff024fd47fbc3311270b1fecbebd5d

SHA1
d49d9eecad6368a2075b844ffae3a7f459b9e83a

SHA256
92cda48e71d020867b016200fefd55c3b9da5fe083a16867ce0871be8e1c2f9b

SHA512
85f4166818d2a030e3dca51ad2c86ee1f6590cae78a30ed7e74bbfed2309c862b42ead00ab937cbc2b8d74332653a43b89c768bc90dc557d4a7f38ff45958a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
57de5426b4a456a5eeb8efea1061df56

SHA1
24c5ec514a2d6596beb1b5dddee48e5e3aa389d0

SHA256
71f24cc612a9b313457f7107d44e113f185914117d4641a29fed5ad352fb7ac4

SHA512
a3887a9fb6968905b4ecccc3d3330813e23f2355c8b4f38648a716db02a395d34680d9c4d4d7d6a6d565faf463ee2b60febba83fba98f0d0026eddd6decad671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ce1d659d37530ecfdf3e35af1a61d7c

SHA1
ad65441a0fe638f852fbf4d839bf987a8245586c

SHA256
4eb6e98c5932b7383581b7d6210471f4e68211597deaf1beae36f60d441961b3

SHA512
49dd4e3acbdfae7b2c7298eff56774f93ca5d96c181cecbdb8b5ec254eb8cb0179980d3145db9ed6cd99753ea51f157d2d7ab09062d9243ed7838607bbcfbeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37a3f8f37ad9e01f0a971ba36fb2093b

SHA1
6d3388f1f7ecbc9560df3e1995b0b0f616bf60f7

SHA256
532543b06839ecae613822be2a44bc752b6410f4503139213be39a3c7df33f3e

SHA512
348d645cdd3115b743b8cfdae8b10474116a81585d6a2c114369819dcdbf0d46211d3760205b1ae07fe1cf7b74f9d5824f558f325ac0ed9a3b539f4040471735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40d3c91dd63317e9345123f025d22893

SHA1
50e4ad69ec1e6df175f8154501a3d462d395045c

SHA256
e1da7b89886295fef942e46d24915db5d44f8c547d5148f7f2da60ae8dc42f5f

SHA512
5f44178b51fc7dd50f3a394b50a6bd71d2609056984ebcbf5452122be05d461501dc93482c5f283f851e10ca8e07c4aa0ca0f652c0b75330435a1ef23eac7fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\175d4b957781948c_0

Filesize
16KB

MD5
2286a04412919605daa218aedfd0d861

SHA1
61c20b18b87500fe95754b55b9287f9f8caa57a4

SHA256
b7bbd586a2ad943fe1957943a07f0bfe3cc0b241c123d5b9eeb94dfb507ded14

SHA512
90ccd00382d0a435d3e6c88bcb73e625b7bd72332fdfe4fdddf79c32c23795f99501f2f5e74ec850a2cb5becdac2e19ca26b0af5677aba6e4be2f24c9742544c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\438191a639b807cd_0

Filesize
15KB

MD5
480f831024e6c8ed95c424bf1b2dc09d

SHA1
cfe1511785dd0debac593a8705420ef97acf3d47

SHA256
da63aa20afd7edd2572d0b98daf465ee0cb67c9be2b90c71a83489f38ddbf020

SHA512
d8c1026836e1e578245ccfc0595f85bc596949f82dca6a35ba7d1587e882402ba83f18c835ec2df923d6b5d4aaa814c795e9a7d0287b0d98bc32884b9022e9eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\4e96683958f7ce43_0

Filesize
11KB

MD5
3900d9844f8c9c41f26745282a81d675

SHA1
62996cc03bfb8eb8cc8b366cbe51cad2ff762d04

SHA256
40007903e2f9e209bfef9ac4de313cdad40d01b571205cd285efdd3ea08cae00

SHA512
f77dc7ef6bc4a394d2a0e6709d79748a96315dcba4ab1a89894eabaa36ec9015d94d473f399c2b90f336a8e9e1e9441e2c50f11914fd0e1ba88bf5d9caf6d2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\5292bcecb49bfec6_0

Filesize
8KB

MD5
ba24bce13b26f3700b1592cbdd2d90cd

SHA1
b8529cf2f02a9ebb4d4a1f40704266d5c8bfd0b4

SHA256
08ab8090ccfb04038ba0f42d166b809f7144af0affe40a788fb24b7aa990747a

SHA512
ec68a986fff3ea604c8869450fa69cdbb5cc09c492e92fbcdcb3d9f0ca7374ffa78af4e4744aafbc006b172a92da7af77ece6d93c245ecf46bea308d5ee46f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\5b5c8ea0932be98a_0

Filesize
12KB

MD5
047fb81fae4d20aab88c948c332ba38e

SHA1
948203d376584e4fbc7067a4a7d811dc4d0f2be3

SHA256
29fe7350849bd2cd2beb86857b647d59eb1e8a1b20bce1b95d7dc676de7b4839

SHA512
728277a3283cbfbf06c9bc46ccdb89f9a4004f41041a9af1f646c9f5404d0b7b0512a2052bf440ec8bffc0823700dd1b121193e9ee562a753ad7c203e1a19f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\65c461f5f3fe4f88_0

Filesize
2KB

MD5
be37fff9cc7cc9233c5068bb4e8852a0

SHA1
1be3505fc18620ccacf090b49a0fe7b099156253

SHA256
f9495a9434e53ffa9edf77ee3990ec2e40fa88f220d798fe8a5caad1fe59a24c

SHA512
e9907bad8fe0588881576cd30da6a6ad3bfbd3fc7ecc17e511adc6356bf2afe614eee3ee45beaa8af31cf6ae6ffabbeca436af8d8116aa3dc941e327919621e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\712615ec4b7d45d2_0

Filesize
5KB

MD5
7db0a23c1a9b4d459ed2240b184f6382

SHA1
47ebeb7c33535a6df8d3edf1ffd07ff7327eee52

SHA256
d14f3118aad1ad4826cff1cf081e5c7f4a76a33cc1cccb43e20c602ebf1fe2cc

SHA512
324f4fe0d97cefa51721398578a1b2ddced56978d277a8cdc4ed933d074697175456261ec7fd69284a31e9962f86474f129a6218a066f835de35be00c387892b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\7c2c908a190bcb3e_0

Filesize
6KB

MD5
ebfe6eb80cb10a5a3d00413867a5fab9

SHA1
d16f7f5e3a6e32e081d9396f393b841a3a091e12

SHA256
4c4b1b9bd5552607e30f4951628ec2f856bb6af50f416f32868d00801d96a7d3

SHA512
159c9e06444b7bdfd48613262a17f637b5c94405f99ec97e036357849c403894e45724fe77cdd0b417b4c49af810baa14d6725f9143223185f700fbaf68c581c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\7caf7ba3eac825ab_0

Filesize
5KB

MD5
859ff183582d20ce6b87bf9feca5ec7e

SHA1
81fdb224dd4a52eeb7c0cc102c12b95a25932c1c

SHA256
7883fc30933fe3d0e3db7d09c7c54ecd640e834621032f9adc3f3e838f191ddd

SHA512
0e7b3355c1863c80bdd70c5cfff0e2be9a34660af1d3b72e92dc6396073faf1dfad8a19bace5a16227d491473afd9592235a3b36291d84b68be1a34cad8440d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\7d318228fd0c728f_0

Filesize
20KB

MD5
540ab3281ef384d1f284179c1ccb47f4

SHA1
71366d79a6bbcc1968dbb607360a53a665066cfd

SHA256
40a1c281a53ee3c9febd701d86d87ccf84337a1f314896756a8d16b721293efc

SHA512
9713a204e07091e6bf6685163595eec0090b616582726737fc367df7021369d419f7e52fae4d6fc768c62c7538dc8f711ecc04edfcbc47c2c8d23505923a20ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\80f4789540225330_0

Filesize
4KB

MD5
87fd019939a7ac19a88c3749a96fee47

SHA1
f6cd475b4c65f14dd7160ff85facbc8e02a7f6f8

SHA256
648a00cbfd65c1c1b8c5b481ef8c6f054bfd01c2b4031606018ddb130ba1f8cb

SHA512
6d7687e6f1f79f8a12b2011e6489d06cea5970cd3fdcbac178746bd180df6efb0b0b7fdc78000098b9cecebf72e1b601ca49d7b3fa5c0099bc09bd3ada1c2f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\8a92927e116e33fd_0

Filesize
7KB

MD5
d486431bd7c04f5a8cae0348d1e97353

SHA1
9344d1285ac82cc4fc80fafb6f0ff72119af28c4

SHA256
bb29a428d682400381fb5bd0da7fcee245770a58b34a520ee214ceebb8a42fa9

SHA512
73787aa553fe7ffa5c19c090e1f1519b9141136414ec63b6ad91840c55fd897b5a7792edfdbd3f9a392273970b55a7afdfd50e6c9d5615b47867bdad9419156c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\929c2576d927658c_0

Filesize
13KB

MD5
d31f1e10354ed12184f3ce8367d04543

SHA1
7f8ae66f272287f58f84281e74e819ff31bd4832

SHA256
53c46306a261d2a26e153ad7e9c278e58b4670abb71c6806c8f85b69c5e0fd7b

SHA512
654b089cd13a6316ccffbbfb5e2ad6bf969661daab10002deca92a8876e69b7a2e758db25684ce3981d0228561638bfeb5b745d9a5c7386855fd887befb93dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\a435b8274946bc2a_0

Filesize
27KB

MD5
edd9985e2e31619f1139c07f22050abc

SHA1
c2461f792d2792cf5eb60cdaa20a6b89b0dcb923

SHA256
d985149b83bee5c6518dc976e4962bbfbba8859d4f57988e8c1ff4afac4c4626

SHA512
90fd3cc3a4f4cb302ceebc0f846fb6bcf91917a9f3f52cf5688a7eb4d3e04b3eaa57be4891d092cc94ece0474aaeca48621967558963d1e6b8fde9c5b3f71faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\a7649b09b821e692_0

Filesize
17KB

MD5
e57b6f59bb514ed35aac2519b4bb1b4a

SHA1
931654281461cb948158fb3e9ab0f6e0bd340027

SHA256
ecbe861a1cffd141d0282c69df7c21545b1237230e0bea74b73e2f24fff560d7

SHA512
12303bd7dcf7f91f47f0745a2ee23ee958a2aaae6eaa0ee83078350fb59c84727c2d59c7edcc08efff2b1972b981ccbee456f97266f275b1ebed88decc511f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\aaddcb6da2450ead_0

Filesize
6KB

MD5
f33101e640dc35bde31a6af8130b6ef4

SHA1
e3639f98f5d85eb84761b04ae1425aeb908b9dad

SHA256
7f4cf5d99e90b3f0381dd6b3efca5c5b6ecaea373501e43a9093f78177d106db

SHA512
d240c2bc4d61973aec565a3fcbbbf6a95f75e556a0cf3d30955fa19094a728e457d63b3e726bff67abd152f9ab3128cfb5fee2140683de786593ed6be28220a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\b18e923b53dbff6c_0

Filesize
65KB

MD5
53f706aa37ed8ff23cbd11c972ad7e7d

SHA1
4bb25124332e167a0c37f0e7be2390a8b655e14a

SHA256
fefd1385c352835b65ea2a729e2dce5e8af816b9f1bdd5cfee2933a456b1e5fd

SHA512
712618c7899679d328986b9c59de05343dcf41267b6b946b214ebcd1f31bbc59aa89ab882bc8870ed7851ecbf774d289b33794862c517c910e565fd47e3d5fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\c8b8a8915b5c85aa_0

Filesize
6KB

MD5
b88f37736b1fc12a6d9d139243d5bf78

SHA1
01e11dd56e384b734897c40a0d1b00a58897495c

SHA256
17217f55cbd5a479efaf85f2ba794fef89cecd58aced4a4a4e64b16632b8d54e

SHA512
35816319cd768b61aea50cc685e6de2837fb45032924d6723ba483deebb02a45d32030530e2ac71d95341e7a4074e190ed4bf3353a51a3f73bf30c3d2e1b999e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\e6c08b0780c523bb_0

Filesize
707KB

MD5
bb407ae0e49671e6a3336ae2850616bd

SHA1
374dd22eb5755f48239d5b227bf64a21ce0bf6d2

SHA256
e2ddeb7f3aaa8948cce861641d088b37c72802a61c7a3e4d27375f3bf0e8896c

SHA512
f3ee3de155db35c671ee143c42a66a1587fc0434fc38536c68e3eac5f4d878515e219bee820914d8375803ff08f795fa7c6ee52c52697cf03b8f755cfcf047df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\ecb53de37008b512_0

Filesize
49KB

MD5
34666ae5cb8ef2289aa8ede13f8f5911

SHA1
88f680975b38a96eb78faa40ceb68b533521fa5d

SHA256
782c6754b69e4f851cd08e49d3070a258fdf6ec7e401ea9cb604e9cca081183d

SHA512
b3981366a74a7afa36e67d2ad409b3e6d5e8cb34272eff1f204e5e28b0af7fa0c43c1b2d2ff0f02693760bc322654af0a8b26f373c36b7d69097efd9c7c08d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\f294647f25efc01c_0

Filesize
6KB

MD5
a62eb24671c404f838c62ec0d2595aeb

SHA1
fbe10dce78012ef23adb9f1ee6dc23de6aaf0a9f

SHA256
93f4e73fff372b8bf36d6b55cfd43f9d0350c87d066dba295f621d4e2c596c90

SHA512
703da0dd7ed587beb6e292100ba4193f43193ad85b7b035b14beb10ff8b83a654ca223bce3a6465313b076cda8c7efebfdbc3f07b9a6f5b86bbb59c5991dc4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\f899accef64e699d_0

Filesize
93KB

MD5
7d6b148309d71b4b3a791c6a60a83c02

SHA1
0527531cc9b935632c138df4b8c6a064ad3d6dce

SHA256
aff10cf9d9be9222d9993082b9dc73985f527ed5843685d696ec98707a5b03e5

SHA512
a020abb103e2f660d613a3b02a2c74e99c561523ed693cdab962bad6ab33c8d4998797e0b72022a834b42bff3b2fb9dcbd690795eedda40c1a4eabadd121687d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\index-dir\the-real-index

Filesize
672B

MD5
94d57803c4ea999244ab03fbcbea64fa

SHA1
8510610dfc9eb0b2f6c32f26cf4e1df2176452cd

SHA256
0061cdc8c184a9591ab245001c224502a8e40be4e07090f090c139b54c4cf581

SHA512
962a3e4e3a778d09bc398cfddd0a47423e85a7e167715da7bc22121ad66a2ab878037d099498c3dbd2cc9897532cd977d5a04c065b460b0a87b5ead188d5bb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\898570d4-8781-4a1a-9feb-19095c95b7f0\index-dir\the-real-index~RFe5c1d15.TMP

Filesize
48B

MD5
84d914e10a3786fa5449a79e32ad0fd7

SHA1
ba929d04ce9924aee75f4d2510bb267e996902fa

SHA256
cd4494fbf3174b36348c0eae4af61fb75fde7e51a755d21fe10ae44d5c59c544

SHA512
519c806059beda1a302a5b4a7ad62fdbd523cf00efb803dc56b30fc1d1962462d93adb4814e79d7867029dd2ae8abdb59cd3f05c64f4cad8f6d45fbb3589f424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\index.txt

Filesize
98B

MD5
78f7b9c38477a09012ddc8d4536bed19

SHA1
ae4b302c2f620ea4abc6ae49dc2b0697c18b0442

SHA256
0153f3330025c6f2236100be5cb7331e286447d44da06d9cc27e0f2e4e868b45

SHA512
037b15338959e89820fb0b3074dca8a7023c8848f5a56ba59c530b78e355581869a7226f47189aa8cb56ec83b18c9fc5df84618b783c7e472260745b0e35bad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\56115d637504abec4f37cc462f00159a1fbfdf03\index.txt

Filesize
96B

MD5
e31e34fb2a9b90db5970c669f9e5fcd9

SHA1
65bf85b6cddf613c84aab04454a380527be35b24

SHA256
c98b661a1c7ae8070dbea051edd10bb0c3973dca88e8cece0cb8e54793ffc62e

SHA512
f14977dc88c2a00085eadb4644f1cec391526af80e6f2bda09fe86b946ef09b1d07482f2f8c6024462208472af3c8ffff356f67a218c572485d73723bc73cdb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
414a1de670a0b93cafa6ba7b2cf515d6

SHA1
342ffaa30f93d51dccc8c05505b21fb64bb4a437

SHA256
f4613bfb0fd9685183279bf87adee5176b03cac21848514a667b5687769b2003

SHA512
95b734337303db7bdf916182f384275fdc4b5a369e380124e6ec7b05bc8c520fffd4b7dfb619eeabea8d6d8106311a2f29605daad98224ebb30886214026ecf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c0cc9.TMP

Filesize
48B

MD5
b293c1ab49770207fb41b03d9a606de3

SHA1
ec16d3d5bf77c14c444b1bd94cb0b4b69077adee

SHA256
1f482f5aa53b21981f6a91cc1989ac1567ba0d3303f66f871778c41c4004a8e7

SHA512
19c6c4b5f29acca947b882ca4f37af810f5df37d3d04a6d5ef73a6562c85b5ab33ebc99ed2c38ea59cb1091c1ef1da9590a1e05e3f4b4ac96f16e06cc14f9279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7756e4ba01161fdc8d54fbde23cda83f

SHA1
35a500cfa43b9f54863f55ff2cde15abdc97c6a2

SHA256
fcfa2d866551e0252601a9cecec32768b9e70a82a858f81ff724d3d5ad3f0206

SHA512
90bc03f938570fc7f7cc4fdc4abf5c8f1f59c304f2ae97e7560d26df0c9e922b052401f3f38e69096b216fd104d126b08562c40b26ac5936af0f900b6dda30f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06f3e5d4a78aaaf02e7af066eba218f5

SHA1
09443ac5d5418359db8a4130c17e4037727d985b

SHA256
2bc200ee6c5f2725a2292416235376425bf0aa3450b68deb938d8eb0f610e3e8

SHA512
140eba22117af73922af8bc0a6662d73b2323231b2487d39310c9576671d34ab07b0601fff6eec58415a2fb95c5f5f49365df6e82141c5a2e7d84d856921384a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
16c106c6749ef5204032235c72327254

SHA1
198d26c66a76751a894e898319e561b0001adf96

SHA256
0e98a23fbd70fa307f4af95d374de993ead74a86dd4564b4c36ae2a0646d832d

SHA512
81367d9a2f53ae26aa76740925ca6af772f18d7ff614b8bc7e94ea12f678f468fa336c4191abc70d45ee8adeec4d2dbc99769b1c1b2acdf06fd585b71f4bd631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e3c2dea89eb813c5400624c1abe3052

SHA1
e2385d6da59997336bc6c996f494b18363f5a585

SHA256
9468fa056c0cae95891daa4e457aa0813b2abde825c108d6deae47c143b6e560

SHA512
84fd21fe204f3acafe09cbfe8f51741064d1bc80d905ecb5d163a2f4b448bc4c2c969ad1062d4a66c3bc4fa357576c7cc219edc15648a2e8d233fc9530451274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3db099da9211bd745f78ae5afdc4beed

SHA1
1414cb0ce8f751b8275da93e59b5b17a06392bf7

SHA256
d9ff7a3a75dff4398ae8030c26bb69bad64fe9c83b35f83a62616a93f1bca3d8

SHA512
468bad4682b228305bac3dc1f4c9f4542faf05b2d76b3d1ed3bb63beb7d04f3ba00aeb0f0f831c36e36080383104a3d91efea97b31e56f4b6e40133d097aa938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e31666e3654b6a78cf095943ce86eee5

SHA1
2cd12f2d4bb32bd1f0bf22eae5fddec4203a1c4f

SHA256
e931ccd4444573098cad15ef28b0659ed0ce3f6c82e0d978a137ad79a6b72256

SHA512
398b004ab117e0045bc00d69a483bf669bb3ebb5a7fa09ecb6148a598e4d24776790e11e53695051c1f52fd018422f87690ee644ef9e137318c840b92440cf42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
96725fcba8d61f896858abdd5f20e394

SHA1
d7093a72836ae5ec92de24e947cb1fd1b09eec37

SHA256
e8888cf6c9a398e344f02a7a0d7bdc39e9710a0e333da86480e9833da1f67146

SHA512
e95e584f922f67e49e03c8205496f495b246c5f19a4fd1a15e085e22d5b1b152619b270344906f9fc91163a6fa6965d5e9ff247c08d86c3fd218f7edbd7ccf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585c73.TMP

Filesize
538B

MD5
ae707c8a20502d916872ca86a6627fbf

SHA1
eb20b98adc850f31141d2be4754245eb3e391be6

SHA256
af477836a3c6167033631742afe1232418b12281d8c3ce09238b14b765ad9724

SHA512
fff3c46ef7ec594786f923b0acb00492f8efc7c6103c8dcab3b1b5987205b33fa09d7dd5f23b1d53595565eae03f646b75ba749f6035b3e3d41098110f300263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9e533d74aa39ce23c4669df04c45d981

SHA1
52050f03e7f71f3be8542203e61f569047f52ecd

SHA256
730e83fad1c19c5b1d6f2ed43c8e19d56f310f7922f78f582b9e696287016592

SHA512
6c92b6cf18da3991c6d3f218a5912b6d1e048a12f0cd5b129479334cf565e0cc7abb5200e40dbf92665ae6829a39d4d56f09feff950bb4504af09b2485d0bf29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53ef79e1ece34703914a5ce7b7907567

SHA1
cde4628f2e6b8c99f46ad3c4add5e0bdbb4adbc6

SHA256
918605a2c4fc8ea3a6f8258860216764a6848ed4752df0ba4815c5ba45eafc19

SHA512
f0038380f20a74534c4f1d5fd437085bf9a9e88fb979dfb3c344ed7d5cafcd2453fa6ab51eb173bab08652089cfc21749e00ce98c1780aa0d5a2de78a69c708a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa3113537d6a0d588f32293869031fba

SHA1
d9d0fef2852b8176fc05ac97e49b41d55822e871

SHA256
c84b2e64df37f93e3a4af3f561ab8b336862a7c8cbcad6d9e2fb4c5d9394f08d

SHA512
8fed91a0be364a79cecdbfb88048c6c6d0688096129c86778f11e6214680427a8abbabf6d942592013a221f56f1daec39b1b70684a1623f220ea9fbd4d83065f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
807cdcbdff72937fb40b0cb5cf2c00af

SHA1
9d4e4951355327e13505f2cdd2c8e6685a5fb5e5

SHA256
d6d2a2a68ce474dcd53785dfe1a48019406dfc90cf0bed6b9fbcf3facea40579

SHA512
7aa583e60dae268a234bc382b2aaf8a8aa1ee2bf9408dcee6c4ec1700788cdb8f76563f40c03bc49f166c49922ce863d4ad9680771c93927152fca07385fc768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b9f19aa52b4982e17b30b5ddec4e825

SHA1
e48bb02f028327bdb1fe9280a24041ceacb55fbe

SHA256
86d5b2e28e00cbe89d7edc92c81fbbb45e868230c0e0073b9a3cc1e700461d2e

SHA512
e5517448855ba4ef94b25ff2d9fd63fdb4bcd8ace1a5f65a4e9a36ddcef26b445b04dc76bad6e2d895e3c0f7856705e5455592f179637edc7dbeb906968f2cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa6de2d6da1af0a895ebf5ae2a565899

SHA1
e96c818f735b1e1e6aa983c267acf9226eaca47d

SHA256
11546a1971c114b6cbe5216adbf0ee39ad5ef2073b066d6ad5b9f7aa678b7f81

SHA512
41a82cf1bd41c7b072c08728b53145cfff37f7385f3a29afcde4285d5fa5ab1f25dfdf63fa0aef91c2feb1877577ab2a5df7a8d2f09364d24c073a41620bf7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a16690a74b62d00f3dcfd31212169e7e

SHA1
6f1b1b27aa1ecbad5b1acb37abb45a4d931dc3a0

SHA256
6f315cc325f8fcf9ba6e6aca97a1768d0af62d4d8c8dd49b27d47da1286b2869

SHA512
58b8df4fe8156fdb2c4d0dee60a07892f0f4489045e41c024225555559b35fdb376d965a033c61db19574c3760c1761af3c48243021dd92d07844e2cd60d529e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s6dardkt.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
879e218826c37cb92bab5a7fa56637ca

SHA1
a8e65bf7c8529d97f4b63730d9ed69f5cbc27fe5

SHA256
4de38dd441b46e2716992555721195608243b9f1b6a1197a1dabec96f8ba7af5

SHA512
14730789273ac9222460dd935aae36ce0f687e18c468af1544a39c1c0fe78f18d47f56fdcffc5df6582defbcc1779022d759cbe0cec850f17c91fdb11b1a186e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\AlternateServices.bin

Filesize
7KB

MD5
60036a1ebfeac47000f13adc494d6a23

SHA1
d467ca19bbc8328c0b60009a9ccd98ed1f3033e7

SHA256
b27de1012c5065c6301d4668e65b244d68c326d0ae1a6ad6588e633ac3b780ae

SHA512
870ddea1d21d82638edd6ee8065078844312af30fbccc799d087f522f5677c3c2862f8e274c47a4eec7cd08780a1c42ddf7583e794d15ae7bd3597abe127eb47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e2a50e6ef50d79b22269a2adbbe4c458

SHA1
769bc57701e9e7bc24c3e812672950d4bd1fa607

SHA256
7ee8180773551ab28fe44569fe3996480c6b0b949bdb67896c8a8c0635895fb9

SHA512
56489554566493de4d76f6965f3a91a872c26d1df6db62f3b19a4785b93ad878ef3a51e9fed7663a86b2f2b34bbec74e45e4d840d994e4af58b056b4fe77b1a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
349cf00f38204df289e73ed0767bbd00

SHA1
c009729a4b9099d2bd1d3873812a0439707e32a7

SHA256
24793e29317f233a26aef87d060ff7a9a393bea002babc15f931783965252059

SHA512
1d5b7c8ea5881d5feb90a0b239171add3462135d3a7d53e926842b76a2dc7e44d90194416d280ec1ecf8402ee9149b78c987bb2f558706d7b04828e7e2ebdf5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ce2e37779525072660a1bc8e711f8382

SHA1
38f5fc947c359cc4b52cf9f9c8eb32037250e23f

SHA256
e22a0f3a46d5fd826db3d4bb839da56d1d2689c2c9006555967222a1d6efe11f

SHA512
b031e92e201faca1dc1516b63ab350f49c725a7a7c6fbd87f57f70229401bb2435ef7968e097dfebd611fea76c99e6ef7df9ddb39168f8b4bb79bda935dc4980

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\49decf62-2273-4eaf-aa22-225b800e422f

Filesize
671B

MD5
493c6d578f56fcb79baacd92bbce8ed9

SHA1
c4043f59b12f13192da606f89367c86be560147a

SHA256
8895d52ca1f0cc831eb0cbb29c3591cf6e178a780ce9ee5300ab28efa823fe9d

SHA512
8989850ee9a56e0c41d9d672667ba612a4b8f4b08e172ed2326c41a6d709e3ef1e95587ff4adaf12aba3a9e1e01b3ca274ed5e4cfd0fbe715c81a19cd2b91a67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\7d581838-f745-413d-af37-609dba4c5bef

Filesize
24KB

MD5
84babbb608b8ea1a8d798a6877f0c5ef

SHA1
613272489ec080905575a7aaaac3e311974b4b0c

SHA256
f0af41790aea19ff77c77eb0ea520784f355d202e77b4a8cd6c559468dbdc385

SHA512
f7d67a502aa5ce19b2577785c688ee8ad0b95f49786df283563dbf3689c907139e3b7dfdc6663bbd0fb99ca537425f0441b9e6170fd67f028d5e3edd4fc35189

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\92edf4ec-e0dd-4eb6-bf43-c84e3b0f413e

Filesize
982B

MD5
9abcabc7ab83939f207f7a2701910701

SHA1
fa6929d4e097f4b6532997652bcb29f162e1bb5d

SHA256
3299ce84a5d47de8963a317f677c0af4bef83ec1ed4ca99386a0cf6283da0de7

SHA512
b92ae406cf7d3530651027e834236003f944a692e1d93ea0a68435e37218970b84e9d0b9eb8c4f84c6e375944c48f6f30b1630b0e5adb70892ea19665b7b143c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\extensions.json

Filesize
37KB

MD5
7e9c030c28a7bd376050a7d56a2c8ab7

SHA1
547ac80b54f0fbf9474ebbad04d1668603b1fbf1

SHA256
5a1284aa00f46f1495ab0c747785faf8f01f2babffcd766989283a0d134a7909

SHA512
fa157b42a724b5d689f07c84e71d8498f648b28c787469cab82941d263434421deedb44af84a25fc697a7d0e9dad179785215f116464568080e9d85f500fe7bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\key4.db

Filesize
288KB

MD5
d934b155727802cb8a0e0bbcae78073f

SHA1
450568a9338b59d705a08408d881863c0420cd10

SHA256
5730c9e33c1e20594f54ca5ad0faee74e42baefcca6fc1c20342d6588d86b7d8

SHA512
46227f827a072462ee4ed752370e05e1a3115be22b0ebeafeb2cb38628e60a3c74cbcff831b36ea0e8f0806e083910742a22e92de1b5c95deb0c3ab95d1f0dde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs-1.js

Filesize
10KB

MD5
2128e88a951472c26cf1c793a6c498d6

SHA1
3b68742cec138c4c15fe4e6d84b5c0128b6b17cb

SHA256
8daaf360401feaf6b0684f0be6bc978880b761daac65a8632643c1795924299f

SHA512
80ba3e1022abd2cce711be804ab4308667abe8ed8e3c8b0dbd64ce49c94fc3a0d62c61f4d9359b88b3f2820e19bf4df11608050416576e948f64decd186ddba6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs-1.js

Filesize
11KB

MD5
1b0a8740b73f0c3a9088723e7b4ec0d2

SHA1
8e5583be060ea544cecd109d816df704c7d714c4

SHA256
ac31ed627499cb0ad9bd23ffb1e4c6d001ccb062fcc8150874836426638fcafc

SHA512
cd4c974e1d99e52747d2911f181cdce59adaa578b7e0b5604d8b2f93af5d7592531e2a0a228617c03358992cbec763e5dcb5438e09fe77321e6db294dc8f32d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs.js

Filesize
10KB

MD5
fa00eb7f08d5a45da7e6b136a91bc117

SHA1
289f72d24b0de1737e9bc4bff17cccceb0ceff0d

SHA256
71ef3df372783dabbb7a7799a558195c9480c6a74d465339979f8c1cd067101a

SHA512
c965c55a9736fc455d4eef4176e239940cb083a68fb315848740e54871c9ff3f1e695bf7767b099190fa839370679e4de26d081acd0f03f140e195bca0fb79ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\prefs.js

Filesize
2KB

MD5
7122b534b17912bc27337038c0feb5c7

SHA1
f01e12b8d23564f38eeab664738edf4eca39bcdb

SHA256
790778a4f45023abf74fe517585637b38286ed8eb538b5445c8c420294615de9

SHA512
668bdd0337d88e433995299a8fedf824aaeea592545ff8059f048ec0233b1014fe74998e4170542fb7493dffd17563517d7683e1b1cee9ba644c5db96f6f6b15

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.7MB

MD5
29d860b3f2644d1521221c0894b11848

SHA1
61cef8cfdadf102c9c045871c27ea32c3e62d379

SHA256
2a6eb6bf28d48fa3221e44d1a2ce24223e4f044bf2e59e859629e8b82ee2834a

SHA512
e9dfc6e55134d8163a01776f0ac1ff546f9d9a8bef0f69d3efc86330bcbe0ce0c5a3ce79182c5a05a44c23538f33eb63a780682cf30c3c46237d8ad7be51d854

Download Submit
C:\Users\Admin\Downloads\180201721323244.bat

Filesize
322B

MD5
c719f3a51e489e5c9fbb334ecbb45ede

SHA1
5b5585065dd339e1e46f9243d3fe3cb511dc5ce6

SHA256
c67348cacc707decd859789c8ed1e8afdb6eb8753d3941d0ee9ecba2f00500b7

SHA512
b2b0ea3a3701b5d689a5cbcc5c16721cf807304ca02375f33c5b507c1a00655917354e32f6e2b96c081125751498484c974c2d3eaa754d6074c9d55aec8c0164

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
585B

MD5
3f0912626cbe76e0fc40f6d4a9d5a6a8

SHA1
e6b56b32034acdf96103f65e43cf63087e3cb7be

SHA256
d3fff910383ad3b659e17b714af8f3a403574eac1a903a8654b44c5769a6df43

SHA512
eac8698a21ed3d4487dae963ba45c9ddbd97c7359d6441160ba9a3b87caa4d2a6859eacd31b38b15fca934941e556f3240e192cec6790eb46670a74e15e75254

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\m.vbs

Filesize
201B

MD5
b067df716aac6db38d973d4ad1337b29

SHA1
541edd1ca3047ca46fef38bd810e5f0f938b8ae2

SHA256
3f7ded679522e917f30aacbfb7c688ef477d7886e722731c812dc486195e220f

SHA512
0cbc1b820abf13e225e7a7636ce1e336d758fa54a9ee6aa09dee7a9748a2cf890f45ba55a7a188b69972b396bac37ddb9a98ba202ff2e203b34a75e515c0759c

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\wanakiwi.zip

Filesize
354KB

MD5
e4f370b101104c15269a3b888ed98e08

SHA1
ad5b797c7cc788a21403ca0cc959bb548580c84f

SHA256
40da854572ad619f1e48ebc62e7ac42fc46b2f3fbdd0dd9069eb451b79f578f4

SHA512
5fd22a7bc6ae20461aab75d0806309d0ed5f926219437a2a252dd96a4dcae616c0b7faa91a7f12d693c75ef9e36c26f0f876cf3fa82d85d419bfe08b1b8ab6ef

Download Submit
\??\pipe\LOCAL\crashpad_1396_DGRKKRUELULQSEQK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2068-1986-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-1962-0x00000000739E0000-0x0000000073A62000-memory.dmp

Filesize
520KB

Download
memory/2068-1937-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-1936-0x00000000736F0000-0x0000000073712000-memory.dmp

Filesize
136KB

Download
memory/2068-1935-0x0000000073660000-0x00000000736E2000-memory.dmp

Filesize
520KB

Download
memory/2068-1934-0x0000000073720000-0x000000007393C000-memory.dmp

Filesize
2.1MB

Download
memory/2068-1965-0x0000000073720000-0x000000007393C000-memory.dmp

Filesize
2.1MB

Download
memory/2068-1967-0x0000000073660000-0x00000000736E2000-memory.dmp

Filesize
520KB

Download
memory/2068-1966-0x00000000736F0000-0x0000000073712000-memory.dmp

Filesize
136KB

Download
memory/2068-1964-0x0000000073940000-0x00000000739B7000-memory.dmp

Filesize
476KB

Download
memory/2068-1961-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-1933-0x00000000739E0000-0x0000000073A62000-memory.dmp

Filesize
520KB

Download
memory/2068-1963-0x00000000739C0000-0x00000000739DC000-memory.dmp

Filesize
112KB

Download
memory/2068-2080-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-1990-0x0000000073720000-0x000000007393C000-memory.dmp

Filesize
2.1MB

Download
memory/2068-1993-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-2004-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-2008-0x0000000073720000-0x000000007393C000-memory.dmp

Filesize
2.1MB

Download
memory/2068-2045-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-2054-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/2068-2058-0x0000000073720000-0x000000007393C000-memory.dmp

Filesize
2.1MB

Download
memory/2068-2077-0x0000000073720000-0x000000007393C000-memory.dmp

Filesize
2.1MB

Download
memory/2068-2073-0x0000000000DB0000-0x00000000010AE000-memory.dmp

Filesize
3.0MB

Download
memory/4336-535-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download