Analysis

  • max time kernel
    462s
  • max time network
    462s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 23:08

General

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 40 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 49 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://findcoins.top/
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2e0146f8,0x7ffd2e014708,0x7ffd2e014718
      2⤵
        PID:4356
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:704
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2596
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
          2⤵
            PID:3560
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
            2⤵
              PID:3944
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
              2⤵
                PID:1812
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
                2⤵
                  PID:4808
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3800
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                  2⤵
                    PID:868
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
                    2⤵
                      PID:1708
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
                      2⤵
                        PID:4032
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
                        2⤵
                          PID:864
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                          2⤵
                            PID:1524
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
                            2⤵
                              PID:4000
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3576 /prefetch:8
                              2⤵
                                PID:1664
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5944 /prefetch:8
                                2⤵
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4792
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
                                2⤵
                                  PID:1228
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
                                  2⤵
                                    PID:1708
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
                                    2⤵
                                      PID:1480
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                                      2⤵
                                        PID:3220
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1
                                        2⤵
                                          PID:4936
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
                                          2⤵
                                            PID:3776
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
                                            2⤵
                                              PID:4220
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5888 /prefetch:8
                                              2⤵
                                                PID:4800
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
                                                2⤵
                                                  PID:4164
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3564
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4036
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5136 /prefetch:2
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2556
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
                                                  2⤵
                                                    PID:3168
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
                                                    2⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:4644
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
                                                    2⤵
                                                      PID:3420
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
                                                      2⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:1676
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                                      2⤵
                                                        PID:1844
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:1364
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
                                                        2⤵
                                                          PID:1564
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2024
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
                                                          2⤵
                                                            PID:1504
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                                                            2⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:1748
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
                                                            2⤵
                                                              PID:3988
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 /prefetch:8
                                                              2⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:3724
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
                                                              2⤵
                                                                PID:3200
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
                                                                2⤵
                                                                  PID:1360
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                                                                  2⤵
                                                                    PID:3968
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                                                                    2⤵
                                                                      PID:3112
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
                                                                      2⤵
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:4500
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
                                                                      2⤵
                                                                        PID:2292
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
                                                                        2⤵
                                                                          PID:4584
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,12999035085259598754,18021616095438181039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                                                                          2⤵
                                                                            PID:1960
                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                          1⤵
                                                                            PID:3852
                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                            1⤵
                                                                              PID:3556
                                                                            • C:\Windows\System32\rundll32.exe
                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                              1⤵
                                                                                PID:1620
                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
                                                                                1⤵
                                                                                • Drops startup file
                                                                                • Sets desktop wallpaper using registry
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:772
                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                  attrib +h .
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Views/modifies file attributes
                                                                                  PID:4568
                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                  icacls . /grant Everyone:F /T /C /Q
                                                                                  2⤵
                                                                                  • Modifies file permissions
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2388
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                  taskdl.exe
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4564
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c 65911727392210.bat
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1752
                                                                                  • C:\Windows\SysWOW64\cscript.exe
                                                                                    cscript.exe //nologo m.vbs
                                                                                    3⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5008
                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                  attrib +h +s F:\$RECYCLE
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Views/modifies file attributes
                                                                                  PID:4224
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:1788
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
                                                                                    TaskData\Tor\taskhsvc.exe
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:4888
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd.exe /c start /b @[email protected] vs
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1160
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:3584
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                                                      4⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3176
                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                        wmic shadowcopy delete
                                                                                        5⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1396
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                  taskdl.exe
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3188
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1832
                                                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Sets desktop wallpaper using registry
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4960
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
                                                                                    3⤵
                                                                                      PID:2740
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd2e0146f8,0x7ffd2e014708,0x7ffd2e014718
                                                                                        4⤵
                                                                                          PID:1224
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.wikipedia.org/wiki/Bitcoin
                                                                                        3⤵
                                                                                          PID:3100
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd2e0146f8,0x7ffd2e014708,0x7ffd2e014718
                                                                                            4⤵
                                                                                              PID:928
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cmkaqiluwluphj236" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
                                                                                          2⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3228
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cmkaqiluwluphj236" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
                                                                                            3⤵
                                                                                            • Adds Run key to start application
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry key
                                                                                            PID:4900
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3224
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3476
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:3584
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4212
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2792
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:4580
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1844
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2044
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3160
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3252
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:3752
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1160
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1696
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1420
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2584
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3392
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:4344
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2840
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1592
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1484
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2584
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4612
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2232
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1512
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2116
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2960
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3208
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:208
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:4620
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1524
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
                                                                                          taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5116
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:4192
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
                                                                                          taskdl.exe
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3204
                                                                                      • C:\Windows\system32\vssvc.exe
                                                                                        C:\Windows\system32\vssvc.exe
                                                                                        1⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3844
                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4404
                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4460
                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:1924
                                                                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Radamant.zip\DUMP_00A10000-00A1D000.exe.ViR"
                                                                                          2⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Checks processor information in registry
                                                                                          • Modifies Internet Explorer settings
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2052
                                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:4616
                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50E0F5C2EA374CEB855E827C4D7C9885 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1228
                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=55676AD11C3777829FBDD5A9038847B8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=55676AD11C3777829FBDD5A9038847B8 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:4348
                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D42967476F8CED5D894EBF8A99230FB --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3204
                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A29767C60B68A9C776371B3C666DBF26 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:180
                                                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F97255C53F680F65F144296C3634E8C --mojo-platform-channel-handle=2404 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                              4⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:4512
                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4448
                                                                                      • C:\Windows\system32\OpenWith.exe
                                                                                        C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        PID:1368

                                                                                      Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        291f52822539b409bc484b9448892760

                                                                                        SHA1

                                                                                        c231e20a6d0c5995e9343660469e0b73a3cfe6fc

                                                                                        SHA256

                                                                                        611eceb53e87baef9d39032734ec9549c8a6f66e1b2eaa63c7e85e9ea5a33d79

                                                                                        SHA512

                                                                                        dd2c3495bb7983fcd1dc714c4134a69a910900c53b67b99a5fef9786ab93367f307466b5ddcfdf94426faa355ebc30e9a4fac8dc1f494ae4fc406b61488c96eb

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\21e587b0-b028-4ee5-8f9f-4bde317f456d.tmp

                                                                                        Filesize

                                                                                        10KB

                                                                                        MD5

                                                                                        9ea5c8fba8b992f2650a57894f5c19bd

                                                                                        SHA1

                                                                                        ba20776263ef1a588c6e84ad9f6ea6aa344bf2f7

                                                                                        SHA256

                                                                                        79ff33bf296f6f87e299026d25767ba814d75cfacd00e74af739f49ecf3c032e

                                                                                        SHA512

                                                                                        3ed1def8e2521d66b7f13bc76875ad9d67516869d8b3746329cfd9068b05a537412879eb1c53c62b50c6cb448528e9ce05e89333e1deb4c68b9d559f66361379

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                        Filesize

                                                                                        152B

                                                                                        MD5

                                                                                        eeaa8087eba2f63f31e599f6a7b46ef4

                                                                                        SHA1

                                                                                        f639519deee0766a39cfe258d2ac48e3a9d5ac03

                                                                                        SHA256

                                                                                        50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

                                                                                        SHA512

                                                                                        eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                        Filesize

                                                                                        152B

                                                                                        MD5

                                                                                        b9569e123772ae290f9bac07e0d31748

                                                                                        SHA1

                                                                                        5806ed9b301d4178a959b26d7b7ccf2c0abc6741

                                                                                        SHA256

                                                                                        20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

                                                                                        SHA512

                                                                                        cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

                                                                                        Filesize

                                                                                        62KB

                                                                                        MD5

                                                                                        c3c0eb5e044497577bec91b5970f6d30

                                                                                        SHA1

                                                                                        d833f81cf21f68d43ba64a6c28892945adc317a6

                                                                                        SHA256

                                                                                        eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

                                                                                        SHA512

                                                                                        83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

                                                                                        Filesize

                                                                                        67KB

                                                                                        MD5

                                                                                        929b1f88aa0b766609e4ca5b9770dc24

                                                                                        SHA1

                                                                                        c1f16f77e4f4aecc80dadd25ea15ed10936cc901

                                                                                        SHA256

                                                                                        965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

                                                                                        SHA512

                                                                                        fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

                                                                                        Filesize

                                                                                        41KB

                                                                                        MD5

                                                                                        3fa3fda65e1e29312e0a0eb8a939d0e8

                                                                                        SHA1

                                                                                        8d98d28790074ad68d2715d0c323e985b9f3240e

                                                                                        SHA256

                                                                                        ee5d25df51e5903841b499f56845b2860e848f9551bb1e9499d71b2719312c1b

                                                                                        SHA512

                                                                                        4e63a0659d891b55952b427444c243cb2cb6339de91e60eb133ca783499261e333eaf3d04fb24886c718b1a15b79e52f50ef9e3920d6cfa0b9e6185693372cac

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

                                                                                        Filesize

                                                                                        19KB

                                                                                        MD5

                                                                                        2e86a72f4e82614cd4842950d2e0a716

                                                                                        SHA1

                                                                                        d7b4ee0c9af735d098bff474632fc2c0113e0b9c

                                                                                        SHA256

                                                                                        c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

                                                                                        SHA512

                                                                                        7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

                                                                                        Filesize

                                                                                        63KB

                                                                                        MD5

                                                                                        710d7637cc7e21b62fd3efe6aba1fd27

                                                                                        SHA1

                                                                                        8645d6b137064c7b38e10c736724e17787db6cf3

                                                                                        SHA256

                                                                                        c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

                                                                                        SHA512

                                                                                        19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

                                                                                        Filesize

                                                                                        84KB

                                                                                        MD5

                                                                                        74e33b4b54f4d1f3da06ab47c5936a13

                                                                                        SHA1

                                                                                        6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

                                                                                        SHA256

                                                                                        535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

                                                                                        SHA512

                                                                                        79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

                                                                                        Filesize

                                                                                        1.3MB

                                                                                        MD5

                                                                                        85db49a9ad005638f14e239d345a10c6

                                                                                        SHA1

                                                                                        bdca353e77e2e4b440062f6c73e3e03a0a841647

                                                                                        SHA256

                                                                                        b93bb7740503d55cc08845aa6d795ceff67a7c1012563375c844510b580ad0d2

                                                                                        SHA512

                                                                                        8f6b4a6e17c86442534659a49ed937b3b3634c0430759431fea1f62eb4d3f79068b99049bc926e6f26017069e2018662a0ffe0bc703c282a93d5f17cb03abd52

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

                                                                                        Filesize

                                                                                        213KB

                                                                                        MD5

                                                                                        f942900ff0a10f251d338c612c456948

                                                                                        SHA1

                                                                                        4a283d3c8f3dc491e43c430d97c3489ee7a3d320

                                                                                        SHA256

                                                                                        38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

                                                                                        SHA512

                                                                                        9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                        Filesize

                                                                                        4KB

                                                                                        MD5

                                                                                        7155e93f21c6650e5e50ac24fbf902e7

                                                                                        SHA1

                                                                                        5b4ab1068e27c94aba034fef8e59958972ef53b5

                                                                                        SHA256

                                                                                        50635f55f4cd06f1ccb6b2860cde39e8af37124274d865dd64bc683d4f93e280

                                                                                        SHA512

                                                                                        b2b62be5249fc847695cb109e44c281e75aa5dd424ef34ab95ce28265f3f3f5616ec176095f6df2112db5459ad9ac41f3fdddbb261e956f13bc53bd87d250545

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                        Filesize

                                                                                        4KB

                                                                                        MD5

                                                                                        dfcae5898f4ae4eef2b721f773d3c4a7

                                                                                        SHA1

                                                                                        6776231d7ae9245ba2937f3d64434bd540b0ec7c

                                                                                        SHA256

                                                                                        2a9f0dc5d5a89059a24f667b25ff6c2caeb8771f76fa0e5ac4f05be9f850eeab

                                                                                        SHA512

                                                                                        50297bbd0885a4cd7aee87c9404b69d961c912f382ec7f7d1ba694cbe4a3e180e0a6b95e2dea91b53de9873b8a8cbb167ccffada41220f377baa9820736a5e81

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                        Filesize

                                                                                        4KB

                                                                                        MD5

                                                                                        9fca5b07b9577885ce49f32a97ff23a9

                                                                                        SHA1

                                                                                        a854f8a54f550c90b3e155744511c27c597c4403

                                                                                        SHA256

                                                                                        417932133d0316f7253f6bc7a24b48b4f15bdb2522f4423b0d8ddff3a8003506

                                                                                        SHA512

                                                                                        27559ff6001d6258005c6a09f00f1b8220d2a9fcd73449cdca5ea74c9156949248da3d05d8973df91046a3a55f957669cf95c3658053aa655236a50ba34d7b60

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                        Filesize

                                                                                        216B

                                                                                        MD5

                                                                                        025147fde19436e0227919dc46ba94ce

                                                                                        SHA1

                                                                                        6b400f913764a41a314fd0a3aa7b1f6ad32284e1

                                                                                        SHA256

                                                                                        fe918b51997f4b6d51bea9da6a83cd1ecc4973d4809b8addd3fdafbbe587bae3

                                                                                        SHA512

                                                                                        2e019a986d50b9b6b244b38909333e4b2d7f9724cf1ef75e0d0f04cac62c2ed625f2ce9740185caf45addb24934ccded80243ff37256cfd3b2a98b332c0f5e3a

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                        Filesize

                                                                                        4KB

                                                                                        MD5

                                                                                        f79b68e4c72df4927ff40688ede3ab48

                                                                                        SHA1

                                                                                        1d75191cca36f992f9c48ef6465ba63374f38acd

                                                                                        SHA256

                                                                                        651c797bad8dcbf9c53745ec2b88587757bd785b066e3cdd21242179ccee9caa

                                                                                        SHA512

                                                                                        dd6a627d071b377568744c5ded2497c727358d426bf3a4980e1194a98a2b0af3081db9e9c02f1c767076747de4bed806a75483ff50a581a20ae45de25e47e1d5

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        e8f80cb7d3ed8b59932d051f18f193dc

                                                                                        SHA1

                                                                                        aa9f187af94b1da5bedb5c1995255cc113d57870

                                                                                        SHA256

                                                                                        af49df69a012977ecba58ca375fc872273fde86d018d537e11f9e9949c3dbcc5

                                                                                        SHA512

                                                                                        1c497a726190df931b03bd9d7aa234fae952e250f6ecaee8ed49e87ed86bfb528c4e50b5109ca28093c4e7a4b9226aaff91257225f010d2a0e60116a827f3335

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                        Filesize

                                                                                        111B

                                                                                        MD5

                                                                                        285252a2f6327d41eab203dc2f402c67

                                                                                        SHA1

                                                                                        acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                        SHA256

                                                                                        5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                        SHA512

                                                                                        11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        6e7f5bb2758aa83f39d2b95474b9f357

                                                                                        SHA1

                                                                                        9aba9a7e3f70d82d816ff51ed605f224cf5b73dd

                                                                                        SHA256

                                                                                        fe4bb201f5d83719798a898c48c8fb79995bd0088ceb8cfa775c5ea88ea33fb7

                                                                                        SHA512

                                                                                        2869a2ae636a8e61ea7fe62340d7a89c1eb992fd6f576d9226c66c5a572055ab4d779044084c8ed011a6c32f604fcb463d98f04f3d78478772186a8729704b1a

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        9KB

                                                                                        MD5

                                                                                        04d9361d7fadf0f90c2588d09deb7408

                                                                                        SHA1

                                                                                        35a676bb3fddc6beffc09d66044aa4b8e3f24b19

                                                                                        SHA256

                                                                                        287fe428b09997f72a540b7330484c6afa748b2da2a00ce2b2bdad29318539d8

                                                                                        SHA512

                                                                                        4d5b43129bb10dac3b99e6d2bf3c9c68f7855bd78b679c5bb1733c945373b5c924e203a3cc8db4b8632e7595b539ddd22aa65c12c9fc6ce5fb5d32167a85d01b

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        6085452524f1c3f308fb8f44a9e4ac8e

                                                                                        SHA1

                                                                                        e3028c0826bf5a4d151c377f8c175a57d0c0af16

                                                                                        SHA256

                                                                                        ea66f33e370ab70d3eedc30d92a209f0a00b053ddcdab1dcb8ccd5fd42ca7728

                                                                                        SHA512

                                                                                        c50d77c1b5831d968a6bc40dce9590122d61fdcc80e2bb05edff4e794ee66d99c61560e859d10af4d0c8ad03126a7b2a3a3ec40497dc17f33050a7c497329a9e

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        5KB

                                                                                        MD5

                                                                                        83555f37bf856b6c0e3b44e415acf581

                                                                                        SHA1

                                                                                        11591719b467dc7cc51a256040808ed6afe73861

                                                                                        SHA256

                                                                                        0cfdbab180fd4bc688d446f275b93da0acff3baaa9d2bafff8e82f307e465052

                                                                                        SHA512

                                                                                        5d12bbce98bef22f5949468f06c594d1fc2600b480b43d938895c524b00d6b564d8a3e89c7ad761b0408f9da24572f61bb77cfb35e244caa6c84c81e8c094f49

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        8f5b43c7421a47334d7ac0d40c9366bf

                                                                                        SHA1

                                                                                        0f5c7a3ac32b48609876a7b2168ef1251844a5e2

                                                                                        SHA256

                                                                                        d1ad3910769db8e30e0a92bbbcb1003136c6c901dd73fcae7f32e8a700db5dd9

                                                                                        SHA512

                                                                                        d059f768d00f0f8052afd962520def4276bcb24401ee6e4a95df42cdbaa2ca555b06260b9159a94e464eb882cb14c189fc06c478848cbe4cc47a582e50313d2e

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        7KB

                                                                                        MD5

                                                                                        ef65a7624d2e49fb276b14d1e3228b9b

                                                                                        SHA1

                                                                                        db7b5169cf82843723996bc07449f9a673471b10

                                                                                        SHA256

                                                                                        5f167240dae5c87c9b7f9f7df95095f3bfc21f786d2e44d5a750f85f490487f7

                                                                                        SHA512

                                                                                        bbd250927312b8ebccb0c3e15067be6d50a7e42e9a172eccbd484ec8d051d258636330dfa92c050d17818b874126719e7045d8372d5a912964cdb6e7e1aa896f

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        7KB

                                                                                        MD5

                                                                                        bc932b6c80617d5f99ecfc8f70d6dfea

                                                                                        SHA1

                                                                                        f36931e40ac21f68c868f5810319d5ff6dc64ce3

                                                                                        SHA256

                                                                                        267cf5f81b3d9f735d979d817054fe8509b4281d0e28b7bcf0a00d6b28583f80

                                                                                        SHA512

                                                                                        4dc5b79f19c762d8c6b0ca5eecdae5f766cca7c660b996d2e1a3b4faea3e9916d57bc4347d3cf812161fe88531cc77fa16613960423da1a9588457ec6a1a2180

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        6637dbb3d2c9894ea302cf40a3889992

                                                                                        SHA1

                                                                                        47b965e160dba7a903f3163d7d1f7579dd242cfd

                                                                                        SHA256

                                                                                        0233ece7456c88d9c6ad621e0759e4842e130d358a0a7bf967e26cc3377b9d22

                                                                                        SHA512

                                                                                        8be168edf7f9ae919619f88e6e74d6682493e0f89d6399ef63babd949a09650545cf1bec1b4494561e0d7073617577a7913c27eaa03c75e748d0d9e838b05741

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        358adbc5dfa742d52bad60a086782072

                                                                                        SHA1

                                                                                        a03cc8901115f9c649c7b0ac92e72290c164c18b

                                                                                        SHA256

                                                                                        c1f97c899641fac49ebfbd32fb2856a90050fbf230b9b92704bdec6baf786b23

                                                                                        SHA512

                                                                                        758cf32a1db638263b5c119603fcd4f6a4ea4f3cc88228a363dddf52f2d56d2530c6fbe5f1eaf1be3a286764d259629d087eae8b40f0e4ef6cb75ba9d06a2a35

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        76020969251a1b6f024e17b037ec59fc

                                                                                        SHA1

                                                                                        df8a8851db48afdb607ac927a466048033f25005

                                                                                        SHA256

                                                                                        a280cada5c143d971b4fd4119527803b16dc265ec6129929024ca34182a805e3

                                                                                        SHA512

                                                                                        15cc75894e75399aeef442648036408fe354e57be5ca95018e8b51a17661aa12f720aeb371a00c58e6119847ef9d4dd4e358707f85a066e97f411926129a7c8b

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        a4a46944e267b41e225dee683e18b4a3

                                                                                        SHA1

                                                                                        943104b9217a8266e4ec1fc8d5a5e6a47427a9ef

                                                                                        SHA256

                                                                                        26ea513a072a55e5fd2a7d984eb783f64c490db1465bf7836a2dd619c55b3599

                                                                                        SHA512

                                                                                        c3ca30c476520c183226104c70ebbaf0ae0e9dde01b2396d61934a0aba853f17d062205c51b87fe52d2fadcc048e24c863107ab666f1203a9f657a3929c086f8

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        46e55fd994e00eb3061fff097375e5ce

                                                                                        SHA1

                                                                                        7be5b12a803128b50fcc78b67307e6dfb77de165

                                                                                        SHA256

                                                                                        f5967dcf2b6e48d0ce1a3c1f7be38840734aed72381c8dc6e7560ecb83816248

                                                                                        SHA512

                                                                                        1b1f83d65013b000024617921bc0129e0b43e427db47e5a429fd63b0b9aa34e059d6c8159bd502b34907aa5e1a2a8f2b40c2911aab9e438699323b113f96c27d

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        b71b87e3a6bdca0ebcdbcd25e6b3b8e4

                                                                                        SHA1

                                                                                        ac5706d01fab6e91fb6d22c65ca44c07f198e731

                                                                                        SHA256

                                                                                        7d16636c4aecf26b85d99d73e5c584fee8acae39260021c9f2d4e10b6e349207

                                                                                        SHA512

                                                                                        00697fc497f1329c7967295bef68473df3cf29325b583858bbec8a97908bf210c449edb5596b738551fdee9dd8d231cfb2f65b16d4265da25fcf6f0c11efbdd2

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        5af04dfff29d45fc47509f99debfb6b1

                                                                                        SHA1

                                                                                        44b2ce90c6d63d5fe063e05254872d97d7b8e291

                                                                                        SHA256

                                                                                        ba4c970abe1b4bdc67ee47de10b58703f5a794cd9d43cc56614010c12b40e978

                                                                                        SHA512

                                                                                        f13147effed47ea4b4cb08b3c8b50cc12718db830b4f8d8950ba2772ec5f332a034a76e949ebc2fc3b6c60650515ebd7228ad510f0f6cdc78cc0e80bf62e52ae

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        2KB

                                                                                        MD5

                                                                                        5ec468b581ae837b3bb251cd504732b6

                                                                                        SHA1

                                                                                        69d2b9044a429954b0c92be8cd5a71bff1baf452

                                                                                        SHA256

                                                                                        0b74d2c0cff1ba25f81257ad29c41d3fe4c9f820ffb1246a22b09347c31f2b0f

                                                                                        SHA512

                                                                                        89888995449ce76d20a2d673841691ba943ed87ce11a7e6c754e1ede29776cff142f68bf7d620d6e1c2ebf20bdb850ad153f184f50bedacf74566127943f5ae9

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        0ecb9b4b066c5db0d0b15e0b52bea032

                                                                                        SHA1

                                                                                        bde62a5418fe631beaa941494b5309372636efd6

                                                                                        SHA256

                                                                                        43aa7abe6b8a24ecafeda86c905fd397ba1a296e0b9608104249a7274bb2e443

                                                                                        SHA512

                                                                                        89749f9f03b243170c92b914e7c4e6c5b01aff6dd33c7d997b0bf6bc6b703a473ed257954551cedae2bbe582aa33f3f5a935a905c5ef6deff3a72bddd78cfaac

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        17b1c3affdf5d0b406f831df4344d51f

                                                                                        SHA1

                                                                                        e750706231c963b6cbdd2ff82f18fdbe6d0b9843

                                                                                        SHA256

                                                                                        0f3596545147460eef09a1649918c0ac718d696881c3046c0fa21fcfb1b1aa5c

                                                                                        SHA512

                                                                                        c6193c22483a232131bb37223894924765660e6689182c63d0a08939ae6b267acf1632d52a39287ec2514c4334c02a656c5aab73e6e996cb8fe0014337822c68

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        68fc8b21a875e72989013e3871c9e81c

                                                                                        SHA1

                                                                                        f2e6102b6bd2f3a25ede36d630aaa62d93e2ed90

                                                                                        SHA256

                                                                                        7df5e12e2058cc443c81e80bfc9c6556265d5b969b2fec5705b4a7ef56c6b0ad

                                                                                        SHA512

                                                                                        23d53ab9e9ec3ee0a19c91e711b7258c9aa5749ccf06e6f7dda4c81b2d38492f6d3a851c24c1f19e7a501f56919d065b1ee13e90df9d88664d2e0c972920bb95

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        68e21933f0382acbcaf604646476d8be

                                                                                        SHA1

                                                                                        2a7e354d0ade74ccf6082d573b4e87254c75273c

                                                                                        SHA256

                                                                                        7aff0847807c178b0f0e435ffc0dd9af7339319689c6800e851db477d812e47d

                                                                                        SHA512

                                                                                        d34e9cf174a420c592c52ddbceccda5a8bafb117ce16c83a660456893d4cb938c78ef4738f9f97a830c241bb8430c0379a438483528c34aef2c640c7fbe28e1c

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        4a661b8ce33a1b94dbfe6b500dc063d1

                                                                                        SHA1

                                                                                        72e24e1d92763fff66def85a6127bea56234ccc6

                                                                                        SHA256

                                                                                        a56a6a4986209e78002d00dc6ed763dc09f7c0062044d91f0723aba289f753fa

                                                                                        SHA512

                                                                                        6ce460d07f8388c586da369caf43d850a665a027f02d85c1a5c7c184900e35ec6d47cb55afa5c9b6108de0b57e5ed72a90a361085e43163e1814eb07287a6e4f

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        2aa0e0bf82408063e2d1835931e062cb

                                                                                        SHA1

                                                                                        174be80415731e348a095bd330a2ec7d87a552bf

                                                                                        SHA256

                                                                                        28ca0bf9742b564ea130f9222155205124f53bc961caff9a2cc7c7b641a7c6de

                                                                                        SHA512

                                                                                        20d83365dba66b5e0341ac74840ea4e8166bb43bcd9ba06460b0a741caf3ad2d97e60473d45b5b13cea58bfb8e41a1a2a79de58e810a1084f75c562ae19b729e

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583dcf.TMP

                                                                                        Filesize

                                                                                        203B

                                                                                        MD5

                                                                                        6893ade55b50ef810a00fdc944798c5e

                                                                                        SHA1

                                                                                        45bcbf3270b53a378f4f6179cdda2e0a39e36794

                                                                                        SHA256

                                                                                        3a45f35d7c9cf0429ae3162420f241b8397c82a9f45f9780a32cae28341b1be7

                                                                                        SHA512

                                                                                        2fbb90271f6509ac438cd17a283724ec3bd02b78298d73e86db778ebc5fd850a03f9a7aff9f8dcf57ac08867d810b86eb97aec7560eaaf055c34933e4ecf0e96

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d5f7827e-8511-4c12-bc6d-cd667e66cad4.tmp

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        c6865c281e7daa061422ff6bae0ea071

                                                                                        SHA1

                                                                                        b366ff6b2f2292a366ff514ac99ef2715dab005a

                                                                                        SHA256

                                                                                        e6312ec94472f647200ebb1ea99910dfc7f21a5aa84cb7b402e709ed809e4b8d

                                                                                        SHA512

                                                                                        28eb2671ef4e957150a3cde2560d0bb850b9317b530fff958091111e831d590251dc448ef36ba9807afb09850859f213716a4c9518dee10a6d16a7de878bc530

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                        Filesize

                                                                                        16B

                                                                                        MD5

                                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                                        SHA1

                                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                        SHA256

                                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                        SHA512

                                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        5e3de6f3fdfba5f9d6000cb9af0df202

                                                                                        SHA1

                                                                                        5c0af635ad76324ad6b6f99d0cad7a6296843425

                                                                                        SHA256

                                                                                        33581fcc2c16c449010008ebf9dbbc91b745e7e9de3fda758c017b439e94ea78

                                                                                        SHA512

                                                                                        b2924930ed4e78746ce4b24e5db3c1742d3d23503478f067902e7caa18b1abc114382286abc5ca1222f6732e6740c9e92767d68fe4251b2d3b59e78c8dd15ac0

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        527b5d1e5a1dfb17567fc27a5ea02947

                                                                                        SHA1

                                                                                        064b96575cca86c793ad77c40460282cf5718df7

                                                                                        SHA256

                                                                                        acbb9e57536ba3c26ddaa63f5ca0a4ad6ff63c399fd582ff799b78eec0e54d62

                                                                                        SHA512

                                                                                        e6422380be1447d5d04da6322085d3d8b1ffff0ea32e869d319b625e2dfe56b7952ff80406d18b8892269364b222e65435a735a74b7d9c89c3b30aec37e8fbdb

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        af47b2fdcefa6dd4f9df0c958c4ab692

                                                                                        SHA1

                                                                                        e8dcd3434073ac46c547d75f684010f6323b2bf7

                                                                                        SHA256

                                                                                        1d6b8511c4c2a812d23647648d30552b0ce5980c85a3f8f10da26789c06b3767

                                                                                        SHA512

                                                                                        0fb34cc66638fa07218df5a0b0581d5dbe075dd97b80b16b1c1116ccfee4cf865feec8f53592ec79c2ebc9073f06c4ae1f123f2e2ea000c731660717966b1f83

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        62d5784d01649dc6e45d45b5e74b2225

                                                                                        SHA1

                                                                                        6d01453f48a4ef0027f2eb3d5719cb9896e27fa2

                                                                                        SHA256

                                                                                        9956323e09480d12a299fbf080f214ddf58643f55bf37050aa73acc93020dc00

                                                                                        SHA512

                                                                                        aa9d90ab5401ffba4a65c93602988700891db3e3fb286b8186f4d3aefda9edf47418e633e1d6708cb8e04c81ba2654915ec661aa12535a1fbd1361590bb31a69

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        e21dcb963dd24661297a89563091e880

                                                                                        SHA1

                                                                                        643863a097af7e132d59af488aa717332b4b625c

                                                                                        SHA256

                                                                                        7b990a746cd111b9f521a5eb3772230e131ac8350e9ce8eca97e3c9db1b11c63

                                                                                        SHA512

                                                                                        2a18abe1e87980075eee7e97cbf0ccf443e9e4b06c9275f595810acdcb3b94ff1bb7f161a2e2e5fbc1738225713f90761c7702eebb503f1630e7d2b414074cf0

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        62659a28579992a0476f382626d47fae

                                                                                        SHA1

                                                                                        c5ae9621dd08a1a3ee9361aefc0f333b26ee666f

                                                                                        SHA256

                                                                                        a8c9e64c27553f106835c37a1efdf6e6d54c8557a044cedc12465a05be8b029c

                                                                                        SHA512

                                                                                        9876507c746038d59d332af9b30c0d09e7962779bdcc3c6c5cc43c69385d270374687349489cedeeb3e2ccdefd16d3ed5a9c2b1cd665be532e8b201a76b7b0c2

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                        Filesize

                                                                                        11KB

                                                                                        MD5

                                                                                        9b16f68d4e97eb5164d982240d460ba2

                                                                                        SHA1

                                                                                        9b2f7f399750821840deee2b8237f4d81e6331ca

                                                                                        SHA256

                                                                                        6bb88ae9c8a1485cf7ee6af83fa6daad6e5ba8506b57ca5fe2dda903ef4c4caf

                                                                                        SHA512

                                                                                        78ab059ca02a19754f811a75b2454b111c2ba361d3b75b68441fec1fa9e540418c085053ba3545a1ccae53892817b73761a9f8a31564fcd54a37b08e68c0b79e

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\65911727392210.bat

                                                                                        Filesize

                                                                                        400B

                                                                                        MD5

                                                                                        ab68d3aceaca7f8bb94cdeabdcf54419

                                                                                        SHA1

                                                                                        5a2523f89e9e6dde58082d4f9cf3da4ccc4aae26

                                                                                        SHA256

                                                                                        3161fdccd23f68410f6d8b260d6c6b65e9dfb59ef44aef39ebb9d21e24f7c832

                                                                                        SHA512

                                                                                        a5de5e903e492a6c9bcf9fbc90b5f88a031a14fca8ee210d98507560290d399f138b521d96e411385279f47e8de6a959234a094e084c2e7e6c92c0ea57778f64

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

                                                                                        Filesize

                                                                                        933B

                                                                                        MD5

                                                                                        7e6b6da7c61fcb66f3f30166871def5b

                                                                                        SHA1

                                                                                        00f699cf9bbc0308f6e101283eca15a7c566d4f9

                                                                                        SHA256

                                                                                        4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

                                                                                        SHA512

                                                                                        e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

                                                                                        Filesize

                                                                                        3.0MB

                                                                                        MD5

                                                                                        fe7eb54691ad6e6af77f8a9a0b6de26d

                                                                                        SHA1

                                                                                        53912d33bec3375153b7e4e68b78d66dab62671a

                                                                                        SHA256

                                                                                        e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

                                                                                        SHA512

                                                                                        8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        MD5

                                                                                        c17170262312f3be7027bc2ca825bf0c

                                                                                        SHA1

                                                                                        f19eceda82973239a1fdc5826bce7691e5dcb4fb

                                                                                        SHA256

                                                                                        d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

                                                                                        SHA512

                                                                                        c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

                                                                                        Filesize

                                                                                        780B

                                                                                        MD5

                                                                                        93f33b83f1f263e2419006d6026e7bc1

                                                                                        SHA1

                                                                                        1a4b36c56430a56af2e0ecabd754bf00067ce488

                                                                                        SHA256

                                                                                        ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

                                                                                        SHA512

                                                                                        45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\m.vbs

                                                                                        Filesize

                                                                                        279B

                                                                                        MD5

                                                                                        e9c14ec69b88c31071e0d1f0ae3bf2ba

                                                                                        SHA1

                                                                                        b0eaefa9ca72652aa177c1efdf1d22777e37ea84

                                                                                        SHA256

                                                                                        99af07e8064d0a04d6b706c870f2a02c42f167ffe98fce549aabc450b305a1e6

                                                                                        SHA512

                                                                                        fdd336b2c3217829a2eeffa6e2b116391b961542c53eb995d09ad346950b8c87507ad9891decd48f8f9286d36b2971417a636b86631a579e6591c843193c1981

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

                                                                                        Filesize

                                                                                        46KB

                                                                                        MD5

                                                                                        95673b0f968c0f55b32204361940d184

                                                                                        SHA1

                                                                                        81e427d15a1a826b93e91c3d2fa65221c8ca9cff

                                                                                        SHA256

                                                                                        40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

                                                                                        SHA512

                                                                                        7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

                                                                                        Filesize

                                                                                        53KB

                                                                                        MD5

                                                                                        0252d45ca21c8e43c9742285c48e91ad

                                                                                        SHA1

                                                                                        5c14551d2736eef3a1c1970cc492206e531703c1

                                                                                        SHA256

                                                                                        845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

                                                                                        SHA512

                                                                                        1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

                                                                                        Filesize

                                                                                        77KB

                                                                                        MD5

                                                                                        2efc3690d67cd073a9406a25005f7cea

                                                                                        SHA1

                                                                                        52c07f98870eabace6ec370b7eb562751e8067e9

                                                                                        SHA256

                                                                                        5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

                                                                                        SHA512

                                                                                        0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

                                                                                        Filesize

                                                                                        38KB

                                                                                        MD5

                                                                                        17194003fa70ce477326ce2f6deeb270

                                                                                        SHA1

                                                                                        e325988f68d327743926ea317abb9882f347fa73

                                                                                        SHA256

                                                                                        3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

                                                                                        SHA512

                                                                                        dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

                                                                                        Filesize

                                                                                        39KB

                                                                                        MD5

                                                                                        537efeecdfa94cc421e58fd82a58ba9e

                                                                                        SHA1

                                                                                        3609456e16bc16ba447979f3aa69221290ec17d0

                                                                                        SHA256

                                                                                        5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

                                                                                        SHA512

                                                                                        e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        2c5a3b81d5c4715b7bea01033367fcb5

                                                                                        SHA1

                                                                                        b548b45da8463e17199daafd34c23591f94e82cd

                                                                                        SHA256

                                                                                        a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

                                                                                        SHA512

                                                                                        490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        7a8d499407c6a647c03c4471a67eaad7

                                                                                        SHA1

                                                                                        d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

                                                                                        SHA256

                                                                                        2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

                                                                                        SHA512

                                                                                        608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        fe68c2dc0d2419b38f44d83f2fcf232e

                                                                                        SHA1

                                                                                        6c6e49949957215aa2f3dfb72207d249adf36283

                                                                                        SHA256

                                                                                        26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

                                                                                        SHA512

                                                                                        941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        08b9e69b57e4c9b966664f8e1c27ab09

                                                                                        SHA1

                                                                                        2da1025bbbfb3cd308070765fc0893a48e5a85fa

                                                                                        SHA256

                                                                                        d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

                                                                                        SHA512

                                                                                        966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

                                                                                        Filesize

                                                                                        37KB

                                                                                        MD5

                                                                                        35c2f97eea8819b1caebd23fee732d8f

                                                                                        SHA1

                                                                                        e354d1cc43d6a39d9732adea5d3b0f57284255d2

                                                                                        SHA256

                                                                                        1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

                                                                                        SHA512

                                                                                        908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry

                                                                                        Filesize

                                                                                        37KB

                                                                                        MD5

                                                                                        4e57113a6bf6b88fdd32782a4a381274

                                                                                        SHA1

                                                                                        0fccbc91f0f94453d91670c6794f71348711061d

                                                                                        SHA256

                                                                                        9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

                                                                                        SHA512

                                                                                        4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        3d59bbb5553fe03a89f817819540f469

                                                                                        SHA1

                                                                                        26781d4b06ff704800b463d0f1fca3afd923a9fe

                                                                                        SHA256

                                                                                        2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

                                                                                        SHA512

                                                                                        95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry

                                                                                        Filesize

                                                                                        47KB

                                                                                        MD5

                                                                                        fb4e8718fea95bb7479727fde80cb424

                                                                                        SHA1

                                                                                        1088c7653cba385fe994e9ae34a6595898f20aeb

                                                                                        SHA256

                                                                                        e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

                                                                                        SHA512

                                                                                        24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        3788f91c694dfc48e12417ce93356b0f

                                                                                        SHA1

                                                                                        eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

                                                                                        SHA256

                                                                                        23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

                                                                                        SHA512

                                                                                        b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        30a200f78498990095b36f574b6e8690

                                                                                        SHA1

                                                                                        c4b1b3c087bd12b063e98bca464cd05f3f7b7882

                                                                                        SHA256

                                                                                        49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

                                                                                        SHA512

                                                                                        c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_japanese.wnry

                                                                                        Filesize

                                                                                        79KB

                                                                                        MD5

                                                                                        b77e1221f7ecd0b5d696cb66cda1609e

                                                                                        SHA1

                                                                                        51eb7a254a33d05edf188ded653005dc82de8a46

                                                                                        SHA256

                                                                                        7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

                                                                                        SHA512

                                                                                        f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_korean.wnry

                                                                                        Filesize

                                                                                        89KB

                                                                                        MD5

                                                                                        6735cb43fe44832b061eeb3f5956b099

                                                                                        SHA1

                                                                                        d636daf64d524f81367ea92fdafa3726c909bee1

                                                                                        SHA256

                                                                                        552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

                                                                                        SHA512

                                                                                        60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_latvian.wnry

                                                                                        Filesize

                                                                                        40KB

                                                                                        MD5

                                                                                        c33afb4ecc04ee1bcc6975bea49abe40

                                                                                        SHA1

                                                                                        fbea4f170507cde02b839527ef50b7ec74b4821f

                                                                                        SHA256

                                                                                        a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

                                                                                        SHA512

                                                                                        0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_norwegian.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        ff70cc7c00951084175d12128ce02399

                                                                                        SHA1

                                                                                        75ad3b1ad4fb14813882d88e952208c648f1fd18

                                                                                        SHA256

                                                                                        cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

                                                                                        SHA512

                                                                                        f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_polish.wnry

                                                                                        Filesize

                                                                                        38KB

                                                                                        MD5

                                                                                        e79d7f2833a9c2e2553c7fe04a1b63f4

                                                                                        SHA1

                                                                                        3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

                                                                                        SHA256

                                                                                        519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

                                                                                        SHA512

                                                                                        e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_portuguese.wnry

                                                                                        Filesize

                                                                                        37KB

                                                                                        MD5

                                                                                        fa948f7d8dfb21ceddd6794f2d56b44f

                                                                                        SHA1

                                                                                        ca915fbe020caa88dd776d89632d7866f660fc7a

                                                                                        SHA256

                                                                                        bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

                                                                                        SHA512

                                                                                        0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_romanian.wnry

                                                                                        Filesize

                                                                                        50KB

                                                                                        MD5

                                                                                        313e0ececd24f4fa1504118a11bc7986

                                                                                        SHA1

                                                                                        e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

                                                                                        SHA256

                                                                                        70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

                                                                                        SHA512

                                                                                        c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_russian.wnry

                                                                                        Filesize

                                                                                        46KB

                                                                                        MD5

                                                                                        452615db2336d60af7e2057481e4cab5

                                                                                        SHA1

                                                                                        442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

                                                                                        SHA256

                                                                                        02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

                                                                                        SHA512

                                                                                        7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_slovak.wnry

                                                                                        Filesize

                                                                                        40KB

                                                                                        MD5

                                                                                        c911aba4ab1da6c28cf86338ab2ab6cc

                                                                                        SHA1

                                                                                        fee0fd58b8efe76077620d8abc7500dbfef7c5b0

                                                                                        SHA256

                                                                                        e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

                                                                                        SHA512

                                                                                        3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_spanish.wnry

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        8d61648d34cba8ae9d1e2a219019add1

                                                                                        SHA1

                                                                                        2091e42fc17a0cc2f235650f7aad87abf8ba22c2

                                                                                        SHA256

                                                                                        72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

                                                                                        SHA512

                                                                                        68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_swedish.wnry

                                                                                        Filesize

                                                                                        37KB

                                                                                        MD5

                                                                                        c7a19984eb9f37198652eaf2fd1ee25c

                                                                                        SHA1

                                                                                        06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

                                                                                        SHA256

                                                                                        146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

                                                                                        SHA512

                                                                                        43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_turkish.wnry

                                                                                        Filesize

                                                                                        41KB

                                                                                        MD5

                                                                                        531ba6b1a5460fc9446946f91cc8c94b

                                                                                        SHA1

                                                                                        cc56978681bd546fd82d87926b5d9905c92a5803

                                                                                        SHA256

                                                                                        6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

                                                                                        SHA512

                                                                                        ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_vietnamese.wnry

                                                                                        Filesize

                                                                                        91KB

                                                                                        MD5

                                                                                        8419be28a0dcec3f55823620922b00fa

                                                                                        SHA1

                                                                                        2e4791f9cdfca8abf345d606f313d22b36c46b92

                                                                                        SHA256

                                                                                        1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

                                                                                        SHA512

                                                                                        8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\r.wnry

                                                                                        Filesize

                                                                                        864B

                                                                                        MD5

                                                                                        3e0020fc529b1c2a061016dd2469ba96

                                                                                        SHA1

                                                                                        c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

                                                                                        SHA256

                                                                                        402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

                                                                                        SHA512

                                                                                        5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\s.wnry

                                                                                        Filesize

                                                                                        2.9MB

                                                                                        MD5

                                                                                        ad4c9de7c8c40813f200ba1c2fa33083

                                                                                        SHA1

                                                                                        d1af27518d455d432b62d73c6a1497d032f6120e

                                                                                        SHA256

                                                                                        e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

                                                                                        SHA512

                                                                                        115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\t.wnry

                                                                                        Filesize

                                                                                        64KB

                                                                                        MD5

                                                                                        5dcaac857e695a65f5c3ef1441a73a8f

                                                                                        SHA1

                                                                                        7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

                                                                                        SHA256

                                                                                        97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

                                                                                        SHA512

                                                                                        06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe

                                                                                        Filesize

                                                                                        20KB

                                                                                        MD5

                                                                                        4fef5e34143e646dbf9907c4374276f5

                                                                                        SHA1

                                                                                        47a9ad4125b6bd7c55e4e7da251e23f089407b8f

                                                                                        SHA256

                                                                                        4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

                                                                                        SHA512

                                                                                        4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe

                                                                                        Filesize

                                                                                        20KB

                                                                                        MD5

                                                                                        8495400f199ac77853c53b5a3f278f3e

                                                                                        SHA1

                                                                                        be5d6279874da315e3080b06083757aad9b32c23

                                                                                        SHA256

                                                                                        2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

                                                                                        SHA512

                                                                                        0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\u.wnry

                                                                                        Filesize

                                                                                        240KB

                                                                                        MD5

                                                                                        7bf2b57f2a205768755c07f238fb32cc

                                                                                        SHA1

                                                                                        45356a9dd616ed7161a3b9192e2f318d0ab5ad10

                                                                                        SHA256

                                                                                        b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

                                                                                        SHA512

                                                                                        91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

                                                                                        Filesize

                                                                                        2B

                                                                                        MD5

                                                                                        f3b25701fe362ec84616a93a45ce9998

                                                                                        SHA1

                                                                                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                                                                        SHA256

                                                                                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                                                                        SHA512

                                                                                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                                                        Filesize

                                                                                        10KB

                                                                                        MD5

                                                                                        0d185836f0c63e2d9b727f4081c1ac36

                                                                                        SHA1

                                                                                        f16443dcef484232d07bc4d9fa3d7f91338bac42

                                                                                        SHA256

                                                                                        ae4c35d6c3a9e98077e0ccf9eb1d6536f135a558db612671a21d1e26400b91e3

                                                                                        SHA512

                                                                                        a0fc68074575c685425e484ff534e0c5093e676ad89a9a965246a5be07d7d3abf66256ea2da6799a707e95123190ad8d59d49f5346057e937c6d5bbf36877fad

                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                                                        Filesize

                                                                                        10KB

                                                                                        MD5

                                                                                        b3a29d3736043bf25444eb3edf851277

                                                                                        SHA1

                                                                                        9467dcdd483e7c00d2683cccefe95598bc6f2bdd

                                                                                        SHA256

                                                                                        1f2df913839db075f767fa217e87b12a5981a454d66ac792a452c0bc29806640

                                                                                        SHA512

                                                                                        edc8c4963756b27deeb6abd6385bdae661e4d8a2bb2756d115ef82ba6c879b4b1a41e9d0bdeb339f7ded4dd0928b4c2c142423815ed27589c0d96b688081bad3

                                                                                      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

                                                                                        Filesize

                                                                                        8.5MB

                                                                                        MD5

                                                                                        7b062282ccee67d6e5be64b8599f29f8

                                                                                        SHA1

                                                                                        5dd8941abb0ac79918e339ebe42d4baf244b2e70

                                                                                        SHA256

                                                                                        3e54fad2f2f6ded950d5921e7b903fdc3f0f2e29fd9825f7494f8bfd72065306

                                                                                        SHA512

                                                                                        ab1f9bca22165518640ca2e86c7eab9ae9a1ed7dd3829534d3605699c48f41a907b3594d06410ef7c068c0892a64e4c527ad3afd3c6aeace3dea53202ac94a85

                                                                                      • C:\Users\Admin\Downloads\4f9c0668-9e0e-4eec-b621-76ededb0b241.tmp

                                                                                        Filesize

                                                                                        125KB

                                                                                        MD5

                                                                                        b265305541dce2a140da7802442fbac4

                                                                                        SHA1

                                                                                        63d0b780954a2bc96b3a77d9a2b3369d865bf1fd

                                                                                        SHA256

                                                                                        0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0

                                                                                        SHA512

                                                                                        af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282

                                                                                      • C:\Users\Admin\Downloads\Ransomware.RedBoot.zip

                                                                                        Filesize

                                                                                        1.2MB

                                                                                        MD5

                                                                                        51250dabf7df7832640e4a680676cb46

                                                                                        SHA1

                                                                                        74ba41bb17af6e5638171f7a6d9d49e978d8d3b3

                                                                                        SHA256

                                                                                        7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44

                                                                                        SHA512

                                                                                        43f898d7e5752312a79138dcce94c117a20fb6efd9e522fc1ed3cc2d407d13cacf5b6f810c7c1966c4c03217aeb51fce641feb31b26620ff239756132b17f57a

                                                                                      • C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

                                                                                        Filesize

                                                                                        3.3MB

                                                                                        MD5

                                                                                        efe76bf09daba2c594d2bc173d9b5cf0

                                                                                        SHA1

                                                                                        ba5de52939cb809eae10fdbb7fac47095a9599a7

                                                                                        SHA256

                                                                                        707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

                                                                                        SHA512

                                                                                        4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

                                                                                      • C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip

                                                                                        Filesize

                                                                                        2.3MB

                                                                                        MD5

                                                                                        5641d280a62b66943bf2d05a72a972c7

                                                                                        SHA1

                                                                                        c857f1162c316a25eeff6116e249a97b59538585

                                                                                        SHA256

                                                                                        ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

                                                                                        SHA512

                                                                                        0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

                                                                                      • C:\Users\Admin\Downloads\d1ac86ff-a2c5-47f0-99f7-b0269b4c31a3.tmp

                                                                                        Filesize

                                                                                        59KB

                                                                                        MD5

                                                                                        fce365d60e13df34a6843894ac9be499

                                                                                        SHA1

                                                                                        5211ac4e7d8459f0db9aa19a03c55cb2063fee5f

                                                                                        SHA256

                                                                                        3e1813da2d561157df7667cde0117fdddd883c5b1272f76d1ae85ad889c38220

                                                                                        SHA512

                                                                                        9747c95c1a1314fd0fb462951feafa51a75c0794e56a6bbbd16d192e366907aa764bc9adbc7d8319e5d43a37b10889808ae5d619ae1202200d7dba34afa2bc1b

                                                                                      • memory/772-836-0x0000000010000000-0x0000000010010000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/4888-2373-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2322-0x0000000073610000-0x0000000073692000-memory.dmp

                                                                                        Filesize

                                                                                        520KB

                                                                                      • memory/4888-2363-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2318-0x00000000737E0000-0x00000000737FC000-memory.dmp

                                                                                        Filesize

                                                                                        112KB

                                                                                      • memory/4888-2319-0x00000000737B0000-0x00000000737D2000-memory.dmp

                                                                                        Filesize

                                                                                        136KB

                                                                                      • memory/4888-2317-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2369-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2320-0x0000000073720000-0x00000000737A2000-memory.dmp

                                                                                        Filesize

                                                                                        520KB

                                                                                      • memory/4888-2321-0x00000000736A0000-0x0000000073717000-memory.dmp

                                                                                        Filesize

                                                                                        476KB

                                                                                      • memory/4888-2323-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2379-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2336-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2300-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2298-0x0000000073610000-0x0000000073692000-memory.dmp

                                                                                        Filesize

                                                                                        520KB

                                                                                      • memory/4888-2479-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2297-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2299-0x00000000737B0000-0x00000000737D2000-memory.dmp

                                                                                        Filesize

                                                                                        136KB

                                                                                      • memory/4888-2296-0x0000000073720000-0x00000000737A2000-memory.dmp

                                                                                        Filesize

                                                                                        520KB

                                                                                      • memory/4888-2463-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2457-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2444-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2438-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB

                                                                                      • memory/4888-2386-0x00000000733F0000-0x000000007360C000-memory.dmp

                                                                                        Filesize

                                                                                        2.1MB

                                                                                      • memory/4888-2380-0x0000000000780000-0x0000000000A7E000-memory.dmp

                                                                                        Filesize

                                                                                        3.0MB