wannacry | hxxps://www[.]google[.]com/search?q=e&oq=e&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDwyBggDEEUYPDIGCAQQRRg8MgYIBRBFGEEyBggGEEUYQTIGCAcQLhhA0gEGNDZqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8

Analysis

max time kernel
193s
max time network
194s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17-08-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/search?q=e&oq=e&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDwyBggDEEUYPDIGCAQQRRg8MgYIBRBFGEEyBggGEEUYQTIGCAcQLhhA0gEGNDZqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD303A.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3060.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
4056	WannaCry.exe
6108	!WannaDecryptor!.exe
5816	!WannaDecryptor!.exe
1864	!WannaDecryptor!.exe
4804	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
46	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4216	taskkill.exe
2672	taskkill.exe
4504	taskkill.exe
1448	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{27A85F60-B320-4E92-A13D-17A2EE7D3D5D}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 138381.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
4856	msedge.exe
4856	msedge.exe
3552	msedge.exe
3552	msedge.exe
3848	identity_helper.exe
3848	identity_helper.exe
3200	msedge.exe
3200	msedge.exe
1588	msedge.exe
1588	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6068	WMIC.exe
Token: SeSecurityPrivilege	6068	WMIC.exe
Token: SeTakeOwnershipPrivilege	6068	WMIC.exe
Token: SeLoadDriverPrivilege	6068	WMIC.exe
Token: SeSystemProfilePrivilege	6068	WMIC.exe
Token: SeSystemtimePrivilege	6068	WMIC.exe
Token: SeProfSingleProcessPrivilege	6068	WMIC.exe
Token: SeIncBasePriorityPrivilege	6068	WMIC.exe
Token: SeCreatePagefilePrivilege	6068	WMIC.exe
Token: SeBackupPrivilege	6068	WMIC.exe
Token: SeRestorePrivilege	6068	WMIC.exe
Token: SeShutdownPrivilege	6068	WMIC.exe
Token: SeDebugPrivilege	6068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6068	WMIC.exe
Token: SeRemoteShutdownPrivilege	6068	WMIC.exe
Token: SeUndockPrivilege	6068	WMIC.exe
Token: SeManageVolumePrivilege	6068	WMIC.exe
Token: 33	6068	WMIC.exe
Token: 34	6068	WMIC.exe
Token: 35	6068	WMIC.exe
Token: 36	6068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6068	WMIC.exe
Token: SeSecurityPrivilege	6068	WMIC.exe
Token: SeTakeOwnershipPrivilege	6068	WMIC.exe
Token: SeLoadDriverPrivilege	6068	WMIC.exe
Token: SeSystemProfilePrivilege	6068	WMIC.exe
Token: SeSystemtimePrivilege	6068	WMIC.exe
Token: SeProfSingleProcessPrivilege	6068	WMIC.exe
Token: SeIncBasePriorityPrivilege	6068	WMIC.exe
Token: SeCreatePagefilePrivilege	6068	WMIC.exe
Token: SeBackupPrivilege	6068	WMIC.exe
Token: SeRestorePrivilege	6068	WMIC.exe
Token: SeShutdownPrivilege	6068	WMIC.exe
Token: SeDebugPrivilege	6068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6068	WMIC.exe
Token: SeRemoteShutdownPrivilege	6068	WMIC.exe
Token: SeUndockPrivilege	6068	WMIC.exe
Token: SeManageVolumePrivilege	6068	WMIC.exe
Token: 33	6068	WMIC.exe
Token: 34	6068	WMIC.exe
Token: 35	6068	WMIC.exe
Token: 36	6068	WMIC.exe
Token: SeBackupPrivilege	824	vssvc.exe
Token: SeRestorePrivilege	824	vssvc.exe
Token: SeAuditPrivilege	824	vssvc.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
6108	!WannaDecryptor!.exe
6108	!WannaDecryptor!.exe
5816	!WannaDecryptor!.exe
5816	!WannaDecryptor!.exe
1864	!WannaDecryptor!.exe
1864	!WannaDecryptor!.exe
4804	!WannaDecryptor!.exe
4804	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 960	4856	msedge.exe	82
PID 4856 wrote to memory of 960	4856	msedge.exe	82
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 2852	4856	msedge.exe	83
PID 4856 wrote to memory of 4452	4856	msedge.exe	84
PID 4856 wrote to memory of 4452	4856	msedge.exe	84
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85
PID 4856 wrote to memory of 3792	4856	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=e&oq=e&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDwyBggDEEUYPDIGCAQQRRg8MgYIBRBFGEEyBggGEEUYQTIGCAcQLhhA0gEGNDZqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6a013cb8,0x7fff6a013cc8,0x7fff6a013cd8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4637797820724876083,2641798695496584028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:5448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1916

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 220311723927847.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:756
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4084
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:780
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6a013cb8,0x7fff6a013cc8,0x7fff6a013cd8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13844064118108216918,16443204776424297581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:2136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e10aaa599f9ef2394900c27f536ca7a5

SHA1
e2f184b1367bdaf043e4834551814d8266e1d682

SHA256
f580f3f88a78ae9235493d95f357d83f95054919aaab43d70496062a484e2c9f

SHA512
0a2b246ef1e34753a0e94c1f1cb1af078cbb22bd7ffebd0b6fe04b571f5b59c9763a5850f59a6a0366fc7dc1321e3432ebfd4d3daa97ae57c6d8e7398962b843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
1.2MB

MD5
0aba6b0a3dd73fe8b58e3523c5d7605b

SHA1
9127c57b25121436eaf317fea198b69b386f83c7

SHA256
8341f5eb55983e9877b0fc72b77a5df0f87deda1bc7ad6fa5756e9f00d6b8cac

SHA512
6a266e9dad3015e0c39d6de2e5e04e2cc1af3636f0e856a5dc36f076c794b555d2a580373836a401f8d0d8e510f465eb0241d6e3f15605d55eb212f4283278eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a0c1a8e1d6af79f2e94c1d41ca5cc2f3

SHA1
a09ab7df268bb47e94e180923324acef9aec0522

SHA256
08f8d72303821536aac28476ecb16e030f913da0938c7cb29c5ad0cbeb7227aa

SHA512
84971e2229d380114a12a46b5a40f7cf9c0305702583223f407602721a012bc711e7434d292f48e178f0b2478c204515eca42bd73e978560e1774f06c5ce552d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
ea9ed8919a3fa0dccd53aabf39894a2d

SHA1
48e59860ea7d44fb672bbead349bcc42777ab4ab

SHA256
92cc10eeb9c0a91b2fd92df96318365368469c7c5a220985f332bc2143e45434

SHA512
dbd7096c5497dc118add28305f29d2034260ed3bb6242a85e8b3dbba46c73b6a5319242975b19ed60dd61cc3e0017e014f5ff1dd6af6eaad5289a15466c44398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c4d02bdfbd9a06a4c4a20623ea00fffd

SHA1
d196b5d0d04dedf752344d46c3ae2e87e374945f

SHA256
3ac699c90c38385979e1ae0e28d4adcef6854ccbca38ae705200c4e989419f5c

SHA512
fdfa4d7afec144fca07b37c35be6bce3258309c4e5ae8bc1c42a94a71c4aa3d2e2a4b4997f16ec09dd745286e6ec10e68edc218884b4c60941b7f5ddb2c6d28f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
591ace29f8ba980b68765b4df835360d

SHA1
5dc64ee0e67eb2b8ad8cfd18ee3c4ca11208b96f

SHA256
ef1d7cd991b695e62502e8db0fe4309765832863ece5003207c8497c0adced4a

SHA512
5bda8a8470416ae1f1f14a5e6180f318a0e1db87dd55c4f3d2ed90b449bceef76bc02efa66b5e09e256b6d841bd425ddd797caaa2bc42a2b4011141aaa942f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
24ba4030336f5507a4fb610c7d805492

SHA1
e3e30ce765db018893778c2f577f18140024fc86

SHA256
a8abbb0f929d5b9b3a848280db62fb6385c705adbb272931b1840a9f630cfd80

SHA512
a1b23e37de8cdf9fedb96544aa388cde37e7072a8ca0b1317da6134fa7832de72f311f84f8bf7ee17eb6080a7235547aa71fef75c1aedf23b5f355d962e8f0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
7ac86105c9ae18e8ebae9a6b825fb760

SHA1
e3d73564e85091c8d16de41ceaaa76dcecf5ab75

SHA256
de80f6f3d5eabf83dcc154df7b4664f28958dce312b7b04e81e7e18405028470

SHA512
51735aebc0b8b656cc25bb9585ff9876e4ae9be5ff2a29348ebe84b81077f9a20dca887fdc33dc87b1e8be8b840a5d7c84434f514e3b9c310eba81439657fd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
cafdf45ffba4d4417d6c90cec989b9f0

SHA1
333ad836ea4c60e0b9e4c518a83983c552258fa1

SHA256
536aaa750ef5e84a81192b1b083ec77302d1defbe6beb07f4729ce6b1e740178

SHA512
688fb2e9eaf1169455787cf27efee0d55d8527f1a4a1f4979a34a2568df19eaeff5466c45c91b218468593dbd1a493ca2a8400a5759e3d459a5525cff479bfc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8184c55da133a7c56ea91b2a7316a976

SHA1
ab8dedddb94fd4365404e6a1e8066ddf24c9866c

SHA256
29fb4ce4125288f9943ffa1623e0165319e64667d78aec091044bc09495beb2e

SHA512
36fecc05e52e3ad3e21d76fe182c06706ecc38097b9b88663ca505fa80f4c9f017f30eb602e20df17000aeb6a66d3a0637ed24e6cc09e1024ea75ef2795c68d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3e0c4691a76005883aaf3c367b4dd41

SHA1
d3cadf0054b58c23b6c375ebd716b6d45245f287

SHA256
d667132950ba845d95cdcd8afadfdf78e9650dd1fb141c1b69de57f8632040a4

SHA512
2177ce7a844d8ea6e598aff5f4ff813b5a5d9524f7a16aec6ae31463497d09ecc0025e8c21dbb2d900c87bc64f00e2095968173fdbf6e5c03af5b06771b03e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7413b2c75829382e60d6882a9abd2711

SHA1
90ec1c9b40ebc0c69104f37ac85e2f95746cd39d

SHA256
88356bd35d0031a4c4685a95762305db634ef1d6c4c98be282f353e4a53b1dae

SHA512
dac3437d3687dcd58e09c5298b214d671b941f6ee0f5e45f86a81fd8a3a56e5b0c8380c74318884fab275c0e979dbb095aefb8ff8c47fd6cbf264fc252988c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82384a731178fd9e97fb5d9b4bd186e9

SHA1
fafa418e786b029726cec0d38f5be491a8a30c82

SHA256
e613727a006c54b74f54ea5e5b96c94c0695c5cc7713354c314ed8db21bd9298

SHA512
1e34a0f9917bc7c74a92f86679255017500955f2ba1c3a63f9ed044e01807b51eaa55028ca203fc713cf550fb2f15ae0dff44a7f99ea840d97d996a739df3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
772691f2ac545ef32716ed034fde5ffb

SHA1
a0a91a23a48c5efbce0b21e586394a1f2b550caf

SHA256
86f443f6d0a78478f818149a5f01bba3e32fbe32a6f8d58e3962f8f004d4db0c

SHA512
d923cc83e6dc9f567d5fee4bdfce445124eaa71656f94f9b33c83446a96ec204de8396aa3817255262f2d1caa2f51a423e69ff344b0959393d1393ef661597ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f5470552ba9e2917370bcc7e21dd0678

SHA1
962e9a265716be9f64ed6f4dc19772b43b1b9a7b

SHA256
de0388352057540e37c67863d97c2074433de65b03174c424ddac8f955892a79

SHA512
2ad1b97c7c89c27ec8d520868a75135ccdb5bcb6a0177b08656d7ebe0499bb0099f7700db8deb9d8873708fe885cc125e39c4e6982b06305bff241872afc9a5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13368401362258855

Filesize
17KB

MD5
6faae5737ced5734622106959a61c02f

SHA1
3ebef16b079e564ffa4a34a2d03b6be47795bac9

SHA256
552f8a0299b803a040c6b87da4d4da7d305df5eb9c0846fe8d731b2ef64cce3f

SHA512
99deafbdeb932204e75a2bba9ee3513a6eb502f0674b9d00f64116b2aa9a9b1fe43b5829ae589ac58955676aab67d5d24b143d3d10b0a1d281dfea6e5c76f2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
3520290132e75866a789007f250fb293

SHA1
8d919e22432f708e501b14aadde9d32cc4aa2a3d

SHA256
4213db24cf8fd563f471690d185536c67f9ad8aecd7762914949c91538f68024

SHA512
90b9434c693d28d356031eeaea35da3a41da6389b9c3b7056735db425d5982c6c1865e4669a7c86acc3bd15d4d7065b891ecd1a75069596717c5bf1b55ccc196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
b09d5c41f92133594c336fa82822f3ee

SHA1
7b53a23749218d6f869b618519e3f363e7422d21

SHA256
eadf66b7ba8e720c1fb299ba44b81604045a4d02e2300c862e4af1a2b2ab424d

SHA512
bd36070dced6c121c3f0f7efd5736900364426a39fd022ea63f570995a32888893c95d2db37f73b0181ee5fcb91bb1fa3b5daab9a3596888b7dcb91d7a4171cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
4fc293166e276771f91036ffb563da0b

SHA1
cd8c6254a9b303a1f0c889ba9b5425e5a3062cdd

SHA256
6939f8b5b242e565ebbe1b5ef3acf31df3c00faa5f7eb506c1cbed2f389002a4

SHA512
a8df1a64899218b256fbe026d65a783e3a47ff7c8a4aa4b91639c190ecf1821d61d03acfc8e714cbd7ab797863245d6b5d639aad3eede2bbeb613938f3139721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6d84340d0bd5210f5ed8d489b281ed28

SHA1
c287baf6e8e9dd488e9d6b07bcdd36a4eff47db7

SHA256
7ea8b5801c7b9221df2e2a00ae7b66736c78cd2ec2442ac9fbe53d3c81313831

SHA512
e376ff6035c1e9a7a4d45f81c9603a89d9e0912d4e50697b5e1bed36b5bc8cbca6296be2e31c84fa760040b83a562c8925cf3b12f65e4f25842e0350a369649e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a53bb3ae84e84dfe97c6ab0c08b0f2ef

SHA1
072665a52e271728c12ba87b5d898057534a80e5

SHA256
8cda218b1a117e0454b02dbbcd555e93d326687995a167ec7805299305896dab

SHA512
e29c1b15a9859fa7ed07434531fbfe4ce32daa99fa658dbb55de28e482c1a5d8f8a57bff795d3aee90c9f0d8ec750914f20261e4337df69441795f19f85e6a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581604.TMP

Filesize
706B

MD5
4b65665f89d5f53076a8a2f185ec648d

SHA1
0c91cdf48282087666bf0ff7833be5562f9b6ca0

SHA256
2865334052bed86666e6317f5a013dc77b4f2b7cd46e19222ecb397a2141af26

SHA512
9a2437a7e834523077e1cc1d03895f9e89fc7981b0541f9da118c4b6e30bfb2b1bce801a658d72e62c052be22e80814a0748ee92689ee98cd52334c57bec8d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
c50375b4293972cc6fc3439a700e0c0b

SHA1
710f0393f099ed6e86d9e327b3d012b294f7f6b8

SHA256
be5cc3563ee2d44a2442b36e3f3796639082f85fc8dd21a58f8a173d7466ade8

SHA512
2d6d3cc5ae4c9e8f5b3b7ecef6a2d22c44870b11a86a9ca1c9c5b903e0b63388bf0989743cc2e9e438b5fab621f792b4ba27c0a9ccffe945dd21ea004d4b26ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
b8a1ca7f4d1a06fe96cca7b969d54be3

SHA1
255ad0d821075be45973e744eb41b509e7568824

SHA256
3609883d4c75f1e94ca2919e79a0b51a78cebc9bfa62a5c3c7926c90dade0000

SHA512
0200d0262c80c39b276f3bbb15b4affd3d42eb51130a224d31adef977f75a0a83bbf4397ab8e5ce16881d21c745e2e3ea885bc013df84c410e46d1e470bc7fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
ae5a408a0cdc2029f59b4bda6db6c35b

SHA1
1d0eeea1b1fdc70550d95c826908d702308f88e9

SHA256
28305c1ae671e1b9116b64b96ce1681203309b989807edb012edef646ccb945c

SHA512
c40d0a2e9b17c3fe40eea1ab7b5f8f58f6bad607b964e6f12747a28c454b6f49a5ab5a7295b4f5b3dd2b26d733a7c2e427365e94a3ce1a15834a39e8dc6309fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e84d6f2d39a061edb119755828e5c7c6

SHA1
c75fc5a068e5d54a78f8d017e810a971aa498d74

SHA256
cdf29ef948b39300ea374790ec8a534fee254e2987d9dd24790adf3afbb003d6

SHA512
aa1ddafe82863a04f0ef50a1c85c363dcec74291d735c758e66151a585d632e11ee99bd82c4d1f3c183ac9fec66364203b8e1e0618ff8dc515b726fbe71b04f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
66711fd87405f5186c914c043ef00936

SHA1
9b0044812a568792d95bdcf018f591baec5650de

SHA256
cf9efbbd308bd716e0a7586d8afe23269a7257c4488e58957e853e909261dee2

SHA512
79c90f3760b7da48ca5ca021327d98a272b74e0c5821c0146a03918065cf534e5f1fd76ae75e96d8feacc5e5fe6ccd2399ab71fa9b1b3022ffcc5d409f1d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
628d74c433f82ae33d3057c273e443cb

SHA1
0ec7c98921d6eb6df6e2dc7430cf28bcedeb920f

SHA256
e9fc490ee324fa6b05cd6ae5c7200acecf4ab8a6adf901ceb43357ca98bcf005

SHA512
e50d1ba75da3a7c12683eebc2df04f30f24f6eba3121fc0208a207930ec91011d2cd5f814a8417a211f015a5acd36e14384250624646f1622c8f9921032f5210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b3c4005dda2847a5e79a51a06886fe4d

SHA1
ebae2039ca7f082a09e9637a7200a155f4e440ec

SHA256
0a0da85ab4fa94dc0991bfc7ed870be3b1b0edb21a7984653ae24eb2b8e3d3a0

SHA512
55090b501f78e7a401c149d2b103e9e2a4332df94d53be4864383384051dca8ed46e6c3a43eeb68c9d4b2709f187b55f61b2f971aad2ac16bed819b0ee7eb428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
b026fe4c9ee61e5d29890f4c7c4c2828

SHA1
4edb43ad386d255fb21181f073171c7620ae23df

SHA256
d7f7d051df04166bfa8a01057db5facde58dc3f7de01639d230a3b489e51c0d2

SHA512
91a15e90f2d5d81a87e034902ed0f34300678705daab29c0625a91f17ec929ffe000cb7ed657b134f5c18fcc6782599e0aff9a5d12a2db0655a5221a90fb0473

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
4f002f51b33bdd6ecd1fb20883ede238

SHA1
06037cc5133de21e0cb82d143eaac81217c91a3f

SHA256
0952663ce98a922c00be9b53c8231ddc0fa4901a5c28649bbe1c48c2ecfd4480

SHA512
9cd06f2d6e40e7bb6ce09e5f752f8fc81a3bbeede30ff089ea83af55032f96ef44e5d9cd574f8522917c613e6a8eb541209915e61f4b57b01b75fa73002ab4b1

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
95e8b84ae3d0c9ff484b60856bcd00c1

SHA1
d9699e28fb146ba5710ed778e460b87acd52ea5b

SHA256
5f69be4ea1474372bcc6e4dadb01f5096b75d8d061b6fbef499f70f1e50aec27

SHA512
3059fe23239199056ab0a7001ca2af02c53f503492b209c6df5db5b33ef4d01bac857a9414f0573a3a642028feb21ed4d3ffa412de97c067974a79311cb16831

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
8752bf2e678eb62c50c242cad4b34ff1

SHA1
2eb03fce466d9303072ccff1bef15c48cbf3b61c

SHA256
7d83c4fd2e6b53257528f5393da08a4c0717b18d26abc0e3a34154b2d3cb91b0

SHA512
f3549fa7ee982fa215fba16cb7e40575e2ec6faaf610a594819701594fa22c2b4ae80830d3c295fa42935a5d8e42630fd62090e1114c5383289771bf944b3586

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
ac24032f0c70be835afb3b33cb8e21a0

SHA1
441c595165ee6d4048d54817565f4fac69528dc3

SHA256
abc7f0ceb2d3a35a7f44683347752129ae09f6f9c9f19f28303e159ffe68088d

SHA512
f373c7b60d8e4fc970dd9b282ce24064347bf4739e9e8270229a9e5d6755af4eaed30cfd9dc56c57a3b353bd70123fe1f9ef58450d233846e8ee3cdfb7375dfd

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
d0efc05dc1c374920427279639427ae3

SHA1
ef10a4d37a6471f0d865d493bd0ac3b05f16d913

SHA256
a694bf8013348aca30918875d808d76f822dd616c7ab97d992395e8e6bf37daa

SHA512
06328c4615ce04d64d17ea5968d79f6761b286fa8e42b8194b2980f0af1f5ed8d440dfd2f22c17dbdb9df96cb1b223e53a5d26a41b079fef23a76c450ac6c058

Download Submit
C:\Users\Admin\Downloads\220311723927847.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 138381.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
0f2af5051168bfbd2b607a6667718aa6

SHA1
23fd6ce2b66c2a852ca75f64404c3b54bfed9e4c

SHA256
392048aada076b35692925d07ec486d9aa350791238461b1fc390458d164b103

SHA512
f9d4e607a04a31130a456f5f9996c6bc464fb0dc2d32ea67ca5c0c6e3e50d1de9ccd99000f736bd8724ff9d0d897ac147ef733d3111d0916121b912e88ef3406

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4056-679-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download