wannacry | cb78e3209d1b85e57260f6d12e45332623027ad6cce996b4a6048e8a5ce82c58

Analysis

max time kernel
796s
max time network
791s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2024-07-31 215500.png
Size

54KB
MD5

f382dbc66f303ba793872ac19859916d
SHA1

131f8303150962b5c43f283661e561b7df187b91
SHA256

cb78e3209d1b85e57260f6d12e45332623027ad6cce996b4a6048e8a5ce82c58
SHA512

5e0518f31d7cc844b83369aa4d28d229fe23f2a1377a7bdf676bce2bc77c54eff55b050bc3126cd795b99e90931572e863d00ef5e90172f8317e17b5290380a6
SSDEEP

1536:n0VzOQWk5+UyyOPBb8GDLi5JiWAWfQzKesX:0JOQWk5LOPBb88yJZAWfQhsX

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2E02.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2E09.tmp	WannaCry.EXE

Executes dropped EXE 9 IoCs

pid	Process
1444	WannaCry.EXE
4864	taskdl.exe
3032	WannaCry.EXE
3428	@[email protected]
2856	@[email protected]
776	taskhsvc.exe
2972	taskdl.exe
2424	taskse.exe
1876	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1520	icacls.exe
4592	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhxddduoei124 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
117	raw.githubusercontent.com
13	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762843505887168"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4320	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\You-are-an-idiot.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1732	vlc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
780	chrome.exe
780	chrome.exe
3976	msedge.exe
3976	msedge.exe
2936	msedge.exe
2936	msedge.exe
3340	identity_helper.exe
3340	identity_helper.exe
2416	msedge.exe
2416	msedge.exe
784	msedge.exe
784	msedge.exe
2888	msedge.exe
2888	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
3456	msedge.exe
3456	msedge.exe
4184	msedge.exe
4184	msedge.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe
776	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1928	OpenWith.exe
1732	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
1732	vlc.exe
1732	vlc.exe
1732	vlc.exe
1732	vlc.exe
1732	vlc.exe
1732	vlc.exe
1732	vlc.exe
1732	vlc.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4196	firefox.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
1928	OpenWith.exe
1928	OpenWith.exe
1928	OpenWith.exe
1928	OpenWith.exe
1928	OpenWith.exe
1732	vlc.exe
2284	Google Chrome.exe
2284	Google Chrome.exe
1708	OpenWith.exe
2944	Google Chrome.exe
2944	Google Chrome.exe
3428	@[email protected]
3428	@[email protected]
2856	@[email protected]
2856	@[email protected]
1876	@[email protected]
1876	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4656	780	chrome.exe	84
PID 780 wrote to memory of 4656	780	chrome.exe	84
PID 3888 wrote to memory of 1824	3888	chrome.exe	86
PID 3888 wrote to memory of 1824	3888	chrome.exe	86
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 580	780	chrome.exe	87
PID 780 wrote to memory of 2416	780	chrome.exe	88
PID 780 wrote to memory of 2416	780	chrome.exe	88
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89
PID 780 wrote to memory of 1380	780	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2684	attrib.exe
2828	attrib.exe
980	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-07-31 215500.png"
1⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa419dcc40,0x7ffa419dcc4c,0x7ffa419dcc58
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:920
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x21c,0x250,0x7ff6037e4698,0x7ff6037e46a4,0x7ff6037e46b0
    3⤵
    - Drops file in Windows directory
    PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5032,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5156,i,18090275980823863826,10641319360865816558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa419dcc40,0x7ffa419dcc4c,0x7ffa419dcc58
  2⤵
  PID:1824

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3572
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acca026b-477c-49dc-b255-752142433b44} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" gpu
    3⤵
    PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {debc8c15-66c9-4d5e-9280-5b0a4da2b133} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" socket
    3⤵
    - Checks processor information in registry
    PID:2972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 3156 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d99f1a0-fd01-42a1-a81e-749ba3276db2} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
    3⤵
    PID:2772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3208 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fe8772a-bae9-4aa0-b639-591ed72f069e} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4316 -prefMapHandle 4312 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e49c77-f305-498a-a815-a03dd27b0951} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" utility
    3⤵
    - Checks processor information in registry
    PID:1084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1692 -childID 3 -isForBrowser -prefsHandle 5644 -prefMapHandle 2920 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce478dca-d4d3-4ffd-9609-0910290ae274} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
    3⤵
    PID:3308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 4 -isForBrowser -prefsHandle 5796 -prefMapHandle 5744 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8aeebb3-75ce-4320-b36c-553f0f96ea7d} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
    3⤵
    PID:808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 5 -isForBrowser -prefsHandle 5956 -prefMapHandle 5960 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddf2181-f632-456b-92ab-cc0a56cebd51} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6320 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 6304 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40026931-139a-4fff-837c-a3ee8934d237} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
    3⤵
    PID:3720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1836
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa41b33cb8,0x7ffa41b33cc8,0x7ffa41b33cd8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1272 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,4884039943488487116,7894511460671267438,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  PID:1044
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1444
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2684
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 14101731811281.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1936
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2828
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3428
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:776
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4320
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:980
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1928
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1732

C:\Users\Admin\AppData\Local\Temp\Temp1_You-are-an-idiot.zip\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_You-are-an-idiot.zip\Google Chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\f158b8dda1a141aca69adf4601a782c0 /t 1380 /p 2284
1⤵
PID:3544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe
"C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\88499c9429e74bac9b81baa6b6a9b82e /t 904 /p 2944
1⤵
PID:720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3940148bb31c739fe5a813002002bb78

SHA1
8c934f084062d305772a6643a8610c3a4587f95b

SHA256
b23186f7aebb73adbbc3edab05170def7edd8081ef6cbf4c802db559f5a8d538

SHA512
feb308a2c3f1263afeb806eb34e0dd986f735ed08bea4e2692ab73c3c8b52907d2947d6cefe259888dae95e86d3c7ae0dc3b38777b94cf73e326ec5b5df1a6be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f55cf1be8b1a74c21512a9dad51fb7c2

SHA1
5bb545e8dcd6b3b17a252c5dc5ec5e09298ba79d

SHA256
600ec1dc25d756a04fe8b37e07accf68fd045c8b28444a164cfe74f91fe506cb

SHA512
f59976c470bccd3afa3da64f5e715ba8eb69803fe46684247931c3d1265a174accfbb60e569c7916cf71a4c444e78abcfbb79ce82c4b10ebd949b42bd98d96dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8fa1cd489ab5b56b6710ead72daa50fd

SHA1
3cec069d859378ecada08b3e841a3bff62e64f97

SHA256
cbe291d6856d8492c057a64f7e0fd11676f597d6beb0b12a7246e6a54d0a8f1b

SHA512
410f744cf96bcffaa7be1b24907ef6a3ba876df0c075b0ad94f06ae63c5d4e82e78740831378037570449c2903d6467a8b4cb7aec4ba4cc532b931446f3a9942

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f8df316084945b3ba15e710c16e9a6e7

SHA1
67c157a846dc19aad6df382c0dddc6db74196aa4

SHA256
c44b1ae24a9a8b2e78b2b119002db36f764d6962e32c1f79dcf17cf35ad225c6

SHA512
8ec42b36e596e285dc0b0d8f142122575ad3ba126b624735087c8f6fa0fe52e327231c65901051fc37240950c0a25b1940d293ae421c07650032f9a9200f6b88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
faad4a158b2cfd965038a65915e7e8ae

SHA1
b03ad83fc4a531c79d09fddf882803e835d54e11

SHA256
1c07665446eb5c0266c68c7ec2d0f279f520c2a84ea2860cc5da4735a0ab3a2b

SHA512
3e67e8f1dfe4630cc3915ec82ecb4b5bac88c04ff890e8928c0a0ade2e5f5564b9e27b80666f3649fff862ceb30afd96adf20ba90ffd1e743601060cec3b49ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
26a3fe2f29b77c563ba4b7156dc73165

SHA1
3058db2aa70675205dfe52a0225ee0e2469057da

SHA256
58a6c68f0d2e470b123a38abe16acfd6993feddf8a9b1f498d611aa319d12b76

SHA512
dbcacec4f5fc660912e172bc5031a9aed2b551353f083a887186d2e3088ff0b0ce1acad04252e10e3f60a40d1c9772e6c86b3ebc99d8a14dc822c0c7c01249d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b5452f6cf8d58c8a8d1a3fa6ea359a63

SHA1
346d1cdddceb4582845320619dcaa86050f99cbe

SHA256
9360f414d59c317c13f7c26565e71a324768a657eba23665449621de90cd76c5

SHA512
a890d542fc8e203374fed2658a812597a89e2d41fd013a9230586176025cde5ae5327c123710d3d7cd98015241bb5b9dbbb95a2e65d2bb8a17c931de979b31a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f8dc8c4eb3479e20773d9157d5cc6af

SHA1
9204a5b062e8876520a2de4fc5dbcb4ebafeed75

SHA256
a0c29f6f7d3438fb836ac7932cf00761a67619b45f40a313ee14f8233999aa6e

SHA512
274971be1d2c6af5b0a0da6355802817675c8ad66587bcf6bdf1138929830e0813c8fb74a1357728007b21bbf7eea768012dd6f4e258b739c1b142875326c1b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce7b93d7af8b2f49ccc44df99f554bfb

SHA1
759b00c9c9436bf7ef01e6fe265c68f396409e97

SHA256
86e77f28c7876a9d5246f71ced06bd695be11df149e10efbd5d43a72c0e0cc2c

SHA512
bbe75f42e9c25e2197326a58c1877e903480f3746a7ffcb4ce1073b4d24a97fe11ec310156dfac3e2c0c7f93ae155232eb68944c185093d04c9fd7823ba6747b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d7f37e2fdf1114507108827cf516c48

SHA1
7dfdde9eec668b2625e4cd6b54fa9f7141d79459

SHA256
f5c3e3fa03cb1393b0511272b1c402aeb58a34233b287fce5fe28cfa63e88900

SHA512
400f8816a86d05868782a17fb5443edbcacb633b7af0318b9855bb66f7b3b696ed213c54f0032c2bfdd6de558a808d69ed2826f4a1df023e679dd887dc40de94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c51d7a8d47e9c2513c40d7387c76e0f

SHA1
c0ab4c16bf4f1e10113e73d5c059bb84b7ec04fc

SHA256
909a983fec687946acfdaa774c60625baf4674b03f64d11a03ca52d1b03112bc

SHA512
1b8a4d05bb7339ad8ec20f07db6c0922cbc9bea3135d5e457e2224ef1a9ac563691cc1782ff2f43ebca66ec89bda09016ea951202ae8daa6e71a1c9a4b6977b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d6d5d5613712138190630c8955fc58c

SHA1
74e030d8e84be12c9350383b55109066bbd40e45

SHA256
404551036cfc5f9301c540e98c1ff72c4f39af9a957767825d5b471ce4817874

SHA512
e88469ac8342187a594ba4dcfcf9e5e2d89bb80bbab08af22bd6db37ad46038eb3dab9b6442e586188ce93762f6bf725d330082c16910f8cadf128ca2e160556

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
945a5cc10aadde94479bbf8a6a374ddb

SHA1
4ae4babdd77052bca027e6c1d96948e36c0950e6

SHA256
79728524348339f23d8ec3f1d0c56d2cd15a243f6a42609ec49adb1a549e3355

SHA512
377bced1bf2320fb651dddbed749c69a4b2af7544e64e073e191d95070f6dd076c4d783b75ff0136af65fd66e2847a4eb78618ebdddb8298dd9ef7251edeee14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
3bc5a2c6503ea5a74166e14f9591d7d4

SHA1
df168ac83c2768a99ad89118998624459d618db1

SHA256
c4e6320a228614e60be1a73ca4a9ffb7c23a78bc3ff83c9a0d37675d683a8254

SHA512
a47e2d6044f1efb98ea9fc2f569a6abe031eef4c83f34f1aeae17876e0eed9208d6f2af4277cde1f66917935e374c208d7a6c6f5e026904feb251916424876fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
b40b7e7441204b7c932ac884087a7dad

SHA1
4bb035ba21c95c268ccb0d2e0da8f08e10b5f79d

SHA256
2a794711bcc4c6f46bec00393235afb619de04e899b615fdff81beae4ca36d98

SHA512
fcc8ae11c729de570781354bc384b2950b3aac0811345c5cf63cc253b3d0f56742a7f86a1f89b5e5985ab213e3a67e0534a45a10ce0dc772b65da3a418687cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
0d8d6d63b5fb5d3640a4f79c75b95b6c

SHA1
c328b38b1478d9ecaa7a5a9a9d75a5b7fbda5679

SHA256
37f16d8e30e0b1c75a68b92d757270222b539bafe58a6ff7a9a21343ce4c4589

SHA512
2172463497c26a668df29493ed57a10dcd3c207301c848dc56a4739989e1b3e13892e9265363b83d54b8e0527c302000914324f23a68cfe33a5ed2d07b551599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
58c42865d869ebc894f82d660f090bc9

SHA1
953bc380a136746a74740bfe2bb4b3bc2e308201

SHA256
c13c951a8ef2ebf50fd2b96fa0a4fb3b4a49f4df8186ba0941e019ae34c0962f

SHA512
4e9fb92c2cb72722c837d74dc26c8ee5523f080618ead839be196977da066d598a203a2b80b356836c84bc82461aa3420b029794a20e9b1d7401660bea387cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
66a67f6d9b529881a574f449845c3a86

SHA1
3a391f9807bf3f9f444ea73658a9245afe3b5309

SHA256
60929839b3190ebd7b3286d7e947beb77d8d8aac0791dc593ee07e48d7064214

SHA512
dfb51bd0d979c35d5629caf92d5b77ab11c46c9ca2dc469bd10be33a1999b59031efa79197b997588bfc1d13546250116b89388d0d6c99fad36383115350fac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1246fc77-24e8-48d5-91c5-3deae5294654.tmp

Filesize
6KB

MD5
a11b5c9aa696a0f28ec55ca10e4341bf

SHA1
d3fae2c4bb22b43092a48b041e7069152d66057c

SHA256
fd59a771d9a20042483f4e68888c7a16fd69c1875476693153863093a1ef74fc

SHA512
28994f093d95859e7a87217d84c3d316e6b804e83a1fe233ea4fbd2fdfe9bf3e4ea4e99b38b7ae365f24dd42cb35824ad7d7fd7a96d7d8bbd760f712c9ad93a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
e938739b12a56769d93009345d4044ab

SHA1
5c566c0dbdb6aa805538b3f7d80c693072e0289f

SHA256
0d5a83909375a9139c60d36dfe1f580344321ce7c38e7ac9463b17396b44d5d8

SHA512
0f133f2e6a918909f00bd1220f5afd05a26177aa17cbe29da35ca60f92f5bcc780f8f396e2123908f33e57c8301bfeb219423869b5f687acbe60d5b022c3fc6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
38KB

MD5
1806db26c5d614e263c1cefdbb1211b1

SHA1
412443dfdf346d3dc2d68e30cf717b402443f939

SHA256
5c191b166a2ad5f70572dea7fd656306623e3274a544d8e084a3c5f28b9acfa2

SHA512
43ffd45fafc2063328297193a992dea6e8d389943b3d39fb393e74d8bc64ffd50017be0978cc9b1c1e1242b88486e36d5b33840008e2482098c79814de4ab2fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
20KB

MD5
b701fd5ce841ce90ff569c641bf0cbfd

SHA1
923ef9dff528ad65b6f135828aa39340be591a9c

SHA256
26ac894bd46903e9b8d08bf85cf4c7795e88f7c9dd85717b7560e16acc007fe3

SHA512
67d8cbd5ca9334aa5c784bb73b2057d28e2a3687341cd62358b5c5211ba833e10909dada2069b49b0ef328c1a40d8e02b58d27385e3d944eacde240a4bcf2fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
37KB

MD5
d34875fe1c47517f4081a1e2c5bc91f9

SHA1
204fed3cda5eea26388e139dd1600682e7665cf6

SHA256
aff6fc26fb0c69a279bdf9b32b4d2560cd47039470cca8248534daf8d0876186

SHA512
aa164260951708910e1cc3d83c17f2d176427dcbe53e1e13cb539d65317a1750bd1e482850049e9c126aa5e70fbdd72db13d50367b90c8b8b37f01a264ecb148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
22KB

MD5
ef29bfb1387b586ae8255ea38b4dfac1

SHA1
9bf4210a476cc3e71cd86807d3bf43cf7fd552b9

SHA256
725ee295a00aee811955b7c9648e3f4cd0076d546c304e9d74ef78f61401b120

SHA512
198d95651bdb8161dba4eee700e392e37d80a5c34e6264e3bc141ca216597698c584e6461c0ac40c02c9359136bdea98e5d35dd846b2961724019048873a55d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
17KB

MD5
aa9d4b0371cd9ae330d7b131493f54c5

SHA1
e83c2b6b6f023a6e00d18f0c9ed6b8ae9bab1459

SHA256
1ffe9b8b344a25a19f33e5900aadb00e53b8bf1a22210ab66c7b50bbcbea45a1

SHA512
337e27650c4b534683c8589dc4787eb9bcfecae020bcb1a507a1530b1fd7562ba8d185157e8af23b06e80cc70136f51bbc0fc0ac63e581e34e410c6d08d398e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
18KB

MD5
551ec1ab5799476429ed57184a6e0502

SHA1
7bcf188080787adcbcf62dcdad2ffa9ad38e1301

SHA256
a26c3b6f6f77a35a297032c0ab11fa2be0a3e3d0091d7d2cf275fd40c84a43c1

SHA512
c9f59fa7160d68e2eb1cc8453a770423af23c2ea93a779aca1180111705096760aee976db84155973402731b113e7e4266772d32d1efd3fdd674d2ea0e5bf058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
59KB

MD5
2d0c1a94e743a96a4b3781ae54be0409

SHA1
278cabe3149e076466de567c608e6e9ebe59b906

SHA256
6d24279a8a0cf68a54d6b7ca5ab6ce0eef64d3a74958002d01e32920675b9f26

SHA512
10211443e4278afa413e4e05d3c035d3b66a2659a0826dafe1c5a4d14189c0504c33f40ddcbc5e71df6710c164ca0ebdf6b691a15de42379ec021f516d68056d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
38KB

MD5
37573ba0592fdbf40d4d9ed3b5fff664

SHA1
f16fcd431a0183c37a39824f2bef24ee4c0dd886

SHA256
cf11c85cd2e2ca3ff70c19dcc2b8ffea68ef263577ca3d3206741afcc88ec7bd

SHA512
340ba9f194bc8ab2c87152716603676bf3c4c36f6a508ee83c8d6dbfc70b22c8b9e5fe4882c0418cffd3f7c4b383eeaf5d11eaf42c5d11f88dc452c48d6c4afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
53KB

MD5
cfff8fc00d16fc868cf319409948c243

SHA1
b7e2e2a6656c77a19d9819a7d782a981d9e16d44

SHA256
51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a

SHA512
9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
101KB

MD5
9a861a6a772b86aaa2cc92e55adf3912

SHA1
85156e7eaf0d3bff66bd6119093610e8d9e8e5d2

SHA256
6e7cc83f3b23d5f48bafdd934321de60485eb8d9ced04c6299e07dc6bcbc0d1b

SHA512
b0a051e2e703227a55674fe235a97643ab1478af2384a5a974605cdd0e4ed79916d65e2adf61d19f59779da920699e74ac72cce05ec078f22f9b6678c5022a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
19KB

MD5
1e53408e78feddaa3dea2f0014d5dead

SHA1
3dbd20f4511465b8b18e4681ea24f9e0140307cf

SHA256
deb39cbf92259253ae2c5627f31489104612379e8d781a7b2bce775682c2d833

SHA512
601a7dd43d4e43ad479b4241d02652c5523b2bd900118bb2cfd579bfa451e96a6328723c61146ebc113e79c03bf718464504d43502836250fd6b3752e13d6467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
757852b1b4e433584ce8725c682889f8

SHA1
e0e208f2e0863bbe05ad51cc604655a5ea928eec

SHA256
6c2527a6a8e8090176adeaa83917c1d1d6c0522a9bb8c57cde4bcbf7e1760cc1

SHA512
0bcfdb5f194da1717912c428fb4f1e16a730fa58254c6c655f8578f2c6a06f3842f3ae2d27203ec5121445aea2e23b5420cd92da4410a408a653029d8be98dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f94e15581167179dea1620085d2c4f8e

SHA1
d5730aa3b0e4c873a8c69ae3c0f40141a7c0c03b

SHA256
50ae5b9031afc13a5d2f73f27eff9527040ecab18c613691d6486623c564be9b

SHA512
43e66f146e28a1724fc259d8279313049101d9e5ab3bf4043be02a2a574295e4c3d31f0da575a41f5946afca80c58af9d0312bb2f80b6451149e9d118047d175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fcdb05150efeba184ca712e9f04d756e

SHA1
4af618db28b86753cf754e9267b8f7c225282af5

SHA256
efce2cc8c99bda0fd758fd7b438b0abbb90a18069781833953f0b116b6201d72

SHA512
1784dc8e0bf321ce073777a10b54157227e5ce13e5c8981d47aa3836722db1c7af8d572bb5ec1c28ba3349bfb1e32e783ad0e7edf2875e5c415247bb92b0d569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c7017dcd5c79ccfe073ca2a78c4eb67e

SHA1
33d521c66e2807ee85fb61c1c48382235922a802

SHA256
cdc2405bac089a9e75eca406644c8e88ea3482b631f57b5cb3172923431aa324

SHA512
908fbc098157f45900464829ce712d7cc5f729fb116bacc3b618e8437d4c48688a544f9d8eda6ae845e80b6d3d4a0de43b3e2b33bc9c1710656a57720ecb6068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d59dc9c9452f453549e1f885c609a47b

SHA1
6272f0e9eb1f8d8c1e4d29f5457356239c171caf

SHA256
dd3ee318a2d1861ddd55ea950ad21e57213639abd339b0f67ff13634d7d3e52f

SHA512
3636233caf3f26783b560f503780330d8fe0e50df1d97f8a9a26cb61fb4dc1c5cab5445197bf1cedcf61c3ecf568059d083a800cf83c7fae37d3e530d9ee0eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
109a0a8fff6900e91de1d80b6fd67cec

SHA1
e606dc5fa912caaf78bb598265e92918c3b79962

SHA256
743927d0363657ada8688f261e0ba872daf8a852813c6da81e344a1f406a60d6

SHA512
841a50830ab78890147c50e380346f8d34a10c31b94569c0d880a632687fe682978b8802652d006d6713494f818fda86382c4f87bf5409724b61b4ef1f9a539d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fdc1ca5025934d4ed0283d758ea9628e

SHA1
dc39475aa01866e2e041af6f6b374bd20a2f6198

SHA256
fb68cff562e11a3853fbb9718070f36799e78875ba0273b3da5f95d5b2f8203d

SHA512
340de70b24b7a58b90e42e24ef08584ea1c044a5af9cac1ca4581d96685026016c11cde466f04ee4420d6d2710fcd985ac98dde6c9a577b0918e8e2e50876e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2643f07c7cc507a4101be5920be9677a

SHA1
f8bd7d0d1b39709991ba5a0e5d4658d95bdb1628

SHA256
1a6fc80e59e46ee8d6dd05e3c4f0729c3f0c459fd77d053439f3c560d6f194e6

SHA512
59fdb0c631f29be6ee633c2ee88b99cd8241f6ef573faea3e57db09990e4b0c6fcd8580aa5cdb2f626bc4e3b60fd93a4e7ca741c6845dfaf866ff4f681ced39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4bfa2caef9ab6770f75dbf390e7142e

SHA1
17e56e1d53d1b6e858ec0a29555bbb20fe3c1b90

SHA256
d91cb29eebeeab774adcb275062b6e5ff2bd9880f6112c26046baeaba1e6fb87

SHA512
ab524769e0c0e9afea5f6fab58c2c2188bab716c39b900e932c49a5250c00daccc756ea9fb646315ff6f50ea68be184f0cf7fc634dd0abd432b6c3bdfd56e83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5d2568c88519fa8def2e672a2aa0aba3

SHA1
8bba58b91ebec0ae19617c3c60d2fd050ff37fc9

SHA256
48393379f16daaea998070bccdab4fd0fa1b07f5ebd9226eb756dd6961924dab

SHA512
123c63cea426084927221c4e5d186e2817d7d58d76fc110b34cec22e21bbb156150880b61e1e04e991b26885b9011ee9c6e348ffe24d4128e4b0ea71cf9270f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81256b109b117b50c9152cc64a6d6863

SHA1
2a5a86a5012293760389f91e38210bf5e705b965

SHA256
c463c1dd5c21500d7b12564f8890996f76164e53a544d45d26ff71ee489ee0ba

SHA512
cfd486678128f5e430f7e2ad988802b621414dfd82a5c4f4ade436850217098ef8a96a71e0fd9494b0e5d3a22971d9b7c33242cd2c702310932fceed2a2d6328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
296d228b43ef16c183c13367e3a66ba1

SHA1
5819b0dd66e92ff494ee9a5871fb290ca4622a06

SHA256
f099d7c25f4275ac1556f1368e7278953a0876fd66f97313dcc4c44ae0fd2be5

SHA512
99b9366fd39b6bde830e3820b14321ee511720c1c74fe95f798e28a7fbc5420e5718580b5a1466be758ba0d3d63959b186c410dfb1e5b46233f9f5b802530fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc261a68d29fe4f7b4e5f979d9927a8c

SHA1
80933c97c0fcc3d01af311091ed4b99a84d75554

SHA256
2c4ca639553677f16697fe82ceb6227a09c1130f0b8ca8e92495140659f43e97

SHA512
7b3b5ae7eb6ec8a676c8cde3074f413ac02e6cb4f1426551142f122b76faba366adbe637b2bbb52abdf9d2cf3f8180c9f15b32cc6ba606215820c349e709ee28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1e3e1dd6562c1f5b6f084d88e6689eb3

SHA1
da6e8d25158715e78d1c6c714c0a1fb9addafef0

SHA256
7f83de3bc41addac445742b0f59154e1f2b759dcdeb1c69c2b429b4dd81fc252

SHA512
bc348255714ffdb75883dc86c75a85eb1dd6835fc55df137dcf5166520aca5fa7f05c3c0b32ba43cc3223963c14d2bcdacbd8371810ec69d700e52d29129b778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ebe61b8d468fe7cd54d256e634ca1f1f

SHA1
9eb6c5b5351554ed0ab358cdc3f84cf82a87cb55

SHA256
354e86818aea65d66461c678ce0bb782bdb8843f1b123a8bf1305119148e888d

SHA512
e1b73215c290723bd08861324aa7b0efaa21d31d059275fcf9c2768bc30f38b6cc84787b13eb65a58c6b11720dd1cfcf14807ccbeaa370a90534c3bfb81ef398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
740878bb19aba335631a3e057d30fe48

SHA1
065b3efe221922c63944a3c61e11e1c3e3f490f0

SHA256
8adae073ecea4c72afe30438b04bc9dc120d1082bf55e2303b990624292ff8ce

SHA512
1cac94d64116e02d4b2de49074a2f5036cf8b7b963ffec5a931568e0dbfa69c30252bc6cc0b5ac7d28a24cbabb3c6cf48e47f62382ef513609582e090df9c47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1bda6437a51e6aa79175ed86525c207d

SHA1
961f5d366e1aaaa8b287a82bdd3c467ce1d8abed

SHA256
0ae58dc6c271df748d045fe0ebb8c5279713569316c2712ff3fbdef793e87a6f

SHA512
01889cd6fa4f4cad7b96f8d154391c97e3047aa4513f853189e057b9cca6f63cf8da4aaad67aec527c1313065a561ed36ffef544f053079b53fdb88d9e4e7c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b5cb6920ac09d290fcb2592063841fd

SHA1
d3369f4226dc1dbc1c403efb147f3a27f5d36101

SHA256
0d932eccfb4d94d1508536f4ef328045b3d7536cb0eb18f549960fe0795467b6

SHA512
a8c59bf6f0e675253cb31a5d3b5b4f6227ebc0628300b936bf65981aef40ef2ecf241231bfc269284a1d7ffae788bb7f73107f1eb0e7117f07e9e3df774bef66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10c0fb106de0ba31f5caa2ca1b6c5369

SHA1
99171e970dc41205b2063daadf26b072c73e40b2

SHA256
5b3fd0dae44f3b06f1fe0117f81cbbdc4a0558a9edde090b7a10eb4a2c7c5545

SHA512
11fc4171ac028f7446c4c87acf404a10b4266cd3b821d59eb3f467e656330c8b4aa84d04249fe0b25e2465b4d09a964f54471607d7121ff5cddbe16c96ea3f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b81a33e601c3fde25d202b1019c090b

SHA1
bf8a3986a7daec8f4aba7ece93c8b73939ee029f

SHA256
b9b655b39778ef62c347063e961ddfd29307142f0175b5df0dda4fbeb4be4155

SHA512
ef853b9e71559fc1ed24d9712d2f8fc833e0c2e1d43f9e3ed0d1ec320382360aaadef29b08d62e9c7320cdae6d0c69a3f30a21476f430f3e25090fbb1f52e12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cde5e47b6e38b513addd5f20213c5c30

SHA1
2e9d2bb20b57fe7c4701eb474b66e37b16b3a0ef

SHA256
4ae95386ff6208bcdbfd48269c63e0ef9c9d4367d683822e2e21ca93388ca522

SHA512
12ddeb9bddac497827a7f292fbd910858c46b3dcf6b36452f5d12d1fed4abdd24ff4b44f6599bd2dfd22486760062b5b5482021460925bf357bc2de36c8e2ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1ebe21837ebe2302e4991e89246ba0d3

SHA1
8f285d1afcb9304a8992be78b137e5a372c77678

SHA256
f38ab1bcf0a9902454b272c90dc8f35810adc398d4d91fb53fe80840324e9886

SHA512
402c326f85e4da7d31923c1d37920164f1014b2dc1a2fd6689e5b771b31565b72ca8d5dbd6d3e3da46cf07dd433026ba9c59506e92efb572f5fcd5f1e12edeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b8c6eea1c16df920d2d3042a5286a3a

SHA1
882009d22dabd4e2bb1c27be3d812bf4610867b6

SHA256
a69ddb0ca29ffc1b2a53f113a043e355e81f838cbf8ee283eca12f85dcd6c2f5

SHA512
98ae304f06bdc5cf78ac5987d69070418cf6536e02c718cbdbeb341a692c5be1980b7b65773fe24c20b2b20ea8772ab21e6d1428580db3161bc22dee9a04d146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a02974c9a2b8ecdcfb58600fde4fbafa

SHA1
9fc9d2fbabbda37117c4de224e59cc88ca484812

SHA256
a178c0ab6d894829ea4b4f1cb0b86d138f32325b454779f31094cd66b0a0f2bd

SHA512
d7a91d389d554c59154d7d66568914aa109dcb44dbd994943b8dc1486cba44318267cade0c392e85fe958c4533141f9e5ddc2bf60bf35e7c92c01e747bfa76f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a0938d03f0ea77c5fec637319ab928f9

SHA1
0610d5bf6e8777ac2374b9c3e57e5b8e7ea605f0

SHA256
9a1e7d4022ecfba07ac01df441d5667f4206d72a2200c2cf79188d8987dcf5f1

SHA512
071a5daa5b0c3c948e55aca4b64aa45de75c5dd256d223ef4ff5f8c0d87b6d3378cf646460aa5772cf8b61bf40e2cadbfb2465d8837988a06cd9ca6dcfc8bdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6cc36b5a5efe273f9a300f65285c02f

SHA1
3037c29b39d17be679dafd31abd5e7cee39d6df9

SHA256
39bee2a2bd23fda5d8a066452d23f0c97eba20c921bffa137bc570442fc6f17c

SHA512
806cd03aa4bc834a4217ff9f1b111d77a09d347b9b5ab56e646fb9ff624f7230a8e5fe8abd1166f562d6171349f4347e1942453dec5a127d4873138502512b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ca9676ed240bd7a29601e58aed3ab61

SHA1
9a710b3660c379769fb40213bd78464d4ebddbb3

SHA256
ff2ca5ee3c77466e2565155fef1292958171cf765a3de99fab5a6d87705dfe98

SHA512
bb10a66fc6a26f770d555a9706a6f4c882e47fcae9b745f3b8346d698479a6b4a2e7f6908c7cc57a9372a187d42089d3af02ff677401080e154f5cf683029607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9616535db16781fb2dae9ffd1c174908

SHA1
644d1e8a48d8014bb31d92bf94b5b40c7ac37b64

SHA256
2ec5683b4433e7504e6a6d664fcb23edd1f642e8563c56e11c9bd4d96303184b

SHA512
4c7305855fd045385bcc036c00b91cdc9940b13f0347b0e454c9db4572b3ef38845165968585545b0c17c76113f927d162e231aa6bd9db0e1f06434d883ccd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15e41ee0fe70595488b2af650d0c6645

SHA1
14d49df977242a5acb60a9d89367afb219af0e69

SHA256
3376102f2e015c603c8bd0c4e3047223dac3664519c4c7a921e6ee8fac14445f

SHA512
79080193f1274f1f076a026b6f60375fb9fb3f625e07142ce94f609f57c38537e1d342a30b22e68bc356951eb686734434b8d70b5ac8d602ca1f24eb79e068fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4128b5ce1e9c02d24760591fbb31415a

SHA1
d43f58ee4cb1320cf45c808c396831d3df39e935

SHA256
1dfe5c12fd6386891646da54b1d3289cd23c858ead5eed602b722da973bcd433

SHA512
b08d3a6a0ed011af45e73df1d92d76a17adb91df2a4813e13d0a96c8d86b7c9ca4b2643333f8722617ae7deb95610706f375304b7a4977b903df7d7751d70480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
56c7e2267b85aa5b088a5addd9e122a2

SHA1
20ea7a177691818ad41a855697415e9da8278f4e

SHA256
e2b81823ab7a1b9573703efba9d94cb44b753e8b92961ab35a4abccfdad66c89

SHA512
6df1bd693ffa38bc97a2a8c6d391fec0d1385b6990101d1fffa229c835fda72c664d8ee02cbf2e026fa9ba8a022e8b1a3a063cf17701a6ab1ec9c55075639002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41f70b3c565a66182d82db53dca36352

SHA1
f61b19c3791862e68377547fd37f3eb88c6c89a5

SHA256
0e5daffa1f5ea6fcd962e1299859ab97872b2d312047eafca8eef7a31aa9e9c8

SHA512
07b77c693a8030842e6609e42cb2c5054a6bd4be081ec4ad8e042518c506080c1332aa1041696dcbc06a597ea2c804629c8f4e1f5e431643719b9f95e653ad99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d97be.TMP

Filesize
538B

MD5
84d7e8d0f02cb99e60a8e330eaaee958

SHA1
572dca0adee8fa41463e1dfde91b323e437f08dd

SHA256
b69b68378e71eaca5df0001ff15d3d3fd0352c0f0050bdefc1bfc62800058204

SHA512
a09fc09327e472f06e5df5c2413a141ddaf9f454e08a10c7a07fa4196b308d8e719f6bfc89f6060d2e88618b9c5f0c8175efd61f0f44036019d98de3f63656e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd26031bc52d6f1c8008f5c16edec517

SHA1
0de71b7c1ae497b3e48d8beba1b9837182560e7a

SHA256
ab22fea45db60896ee1f543eb28ffceb92e23e4a7c10d54d4206e41cecebf318

SHA512
00f75b20dfc1700dddfdf345d318ad2ae59dd881210db3d090e1499b61da57aa4d2c88855df7efe6d05589bd07d7aed6111ce9f4998d8ec7fedd24ff773d86d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
80863b7a13b98610e18c47a2a1920c30

SHA1
fb1f066b5b4320ff37fd8631d37dadd9c251d051

SHA256
0b36d64526d74aaaaa7ee4a2356550cf7acd0c5ecb8005d7360bc768f35405a7

SHA512
dc4aac619a16d1a7ebae54af1e3dc579444ab4c8c0fec418aeecd81abc179cf9e89d59b487d97c21aa56a78254d8fb62fd20d21411f7865a1340be0c74b0cc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e9bfaef209979bc247658489d30f605

SHA1
23552608025f47ee33c76d55d1b46e892a655fb6

SHA256
f717a83b43d8af493ec883946d7917ddd2b83fb174f7483a7b2223ecac476b71

SHA512
28f636550d6a70e84d18d03a6c13d988916843d5558222f97c1e7b253c0a2da2cfe913e7ffbee591fbd6a0d7e4d9bea7181f9eac60c9829ede552da14b314b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eaa37c3b0cd439b749ffa259b4e0c6f5

SHA1
3611edb3eb872bdb39080fa0c7f9e5dce0273682

SHA256
a7d266886ce1992ed240b5ee77d994574e2fe4fb035549fc1c24cc0be74b611c

SHA512
9ef166fd7543c583b9201c28344548c75386e164cf4124879d9891df9a430ee21b52222524cb6554fd6ad8433bd7adb33a340cfdab6ebee61646009a8e0db35b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e35104080d39eeb564b6997c565d0be3

SHA1
1dc5dba48e430684924a5916da2d88e08fc3a468

SHA256
941b5042ed31ea6fdb1da555a2d97f3c5d76fa04aa31305096c0e26ab3f25fd2

SHA512
aadeab1ca191c52d1f07da255a66854c991c157a581ceb20dd4c9d98182881c747cf9801db788e612dc1e766a4f69fed8b51df7f808e023c1ab6a609444c385f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e597b0cdf29b90ecbf8a740bf4464f90

SHA1
124b012ab0fb8f91248d67acd5ae7246f9fa66cf

SHA256
63eee44324452fe1d1560f9408c91b538fe432de3846f1c12685032f9bdbbb35

SHA512
f33fa518de52459d8bf90e55b9ab98795871c32940b1f431fbb744c0a29c663428bf3e37848d07172a52ddf2f7a3e24f39dc17cf899c82a34acf8c94837874b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c8e9fd46b8ef680243f96d360bf4946

SHA1
65bc107cdfe1449c6e233d79bc9c4fe463a85b50

SHA256
717853cb558baa222a9cfa54cede3cacd4ad2ce76c82fb154569ab6e132469e7

SHA512
8bb6785a6ffa81365a0329c3004f5c8aedcbcc7e536d5f77591daa9deea2d3c1f31c367d772463332f4c609835f4cff87add028d5cd51e664b41b43c3e353408

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
18ad7913a1142c59859ead636fdaac9f

SHA1
992831da84e66aa4352af1ffeda931639b5bd5be

SHA256
a912f6c10c47d19d25409e7d62c9e2fafaba729e8213b0a5d4da01e17035a67b

SHA512
b4d487771bf39e4fee1ddb9d5e1bdd9191b5e74532d4783e0da5533681872dcf0d1fe227f297d4119dab0138f6787a9a4befe6eeddf9e151310081bc61fa44ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
217ffa2d8f1729d9ae164afa9fd66ed9

SHA1
c8dae2bef6534fd09d18f3f42ba98c0ac715de39

SHA256
f1843cf7a543bfd8f5e1f91fa10f0d54b39ad4058fcf36e18eb4e47536b60be5

SHA512
4aaf68fc336b8b461280a0c07447ee90b81a5492f311587884bfd29a36740e4f0a43fb59e5678e6a1fa6c356230549d74dbba982d36da78a075f41b3fc3e1d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
22e6df469fe96cd9f76cbeb54b33f9f7

SHA1
6baf26bbd4793322c26a487cbdbf6aa8ab20f376

SHA256
2d9112c1b9163ad2b7aedee41b941825d447c231e2957e64830f780794bd10c5

SHA512
c5e2881f9ae5f9e825d76d491dcb578fe9b6e973d5db8fdf9daf4cf7fae88c8e119e475277773c3d475adabad896eeecd483bd7696ceffb08c44903811cd7bc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ad27954cfeb022de853566e74b235b03

SHA1
c48483ca741b66cf699cce45ebcfc423c17f84a6

SHA256
fdb04778fb07aeef8bce367ac63d477bb040e1169ea04b2d762e66503214f1d2

SHA512
029aeafa0c62d1d9800d60ba72aabbc5f09df69c0b654738930adc079f27aff0c85374fd9ae614d3caadb78cc34c2729fa221e85b551eac95e3feeb5bfc31eec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
7KB

MD5
de74008a04d6207125be940ee71499fe

SHA1
3850045f874a56de9c6dc3106b74a535503b4b1b

SHA256
d7c22b19478edbd994868b5627524e4ffe30642dea202a36f5b8775a285e53e2

SHA512
c14d9c7785d85c0922dd586a4a388c9486cac9f93387633e5190a4bedbe97db93a0c014a0f5a0ab0dc376eb94815e296f5824a885369f6699631777ccd018266

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
12KB

MD5
93865bbe40808773bff09dddadadfef4

SHA1
a0e054cc6fb54016efac883c9e215881afd9a7a3

SHA256
1f96197b8c28accd1dbcb71fd0a9eec62e58f576bf35c72252aaa1b12a622c7d

SHA512
f96e2d1faeb1fd89c8dc75c28fe6c8efa3f92033ec9dacc5941abdc9a2e05e26ca6cbf3929e63137b389f8128aa65f0e360ad05658efb24768e61b0860e8d555

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
a6c5813f739ace667307498129533bd0

SHA1
4c3e29f36494cc888efc8b32c3e0ef67e79d06a6

SHA256
58adbd980114b354da4b6df8d74ff99cc2b15d4574566c2a1abdcdff2b96e45c

SHA512
1aeb7ca444b9bba7ae74163ea408a82ba0c66680959329d29b8787ddc84bde5721254cf441eb6df88e9e61d21314421e28bcc927890f15b588d94b590b28643d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
d35b9febf0ef57db9905a85b53760bd7

SHA1
23fc07f8fa2473581e1e1f428ed6315fca49b766

SHA256
2bb2a81a23490834cfc57edc1f7f16c17e44f76737bed84c3cb44ed6a31d9ae8

SHA512
3c3e4ad2fd3f33b041eeeeddc24e706766ca70abd97ff05372ac8f3fce6d9d16b4afba71034af0fd105e8552952bddba8bc049c821352a16221a65a5787af35e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
6d11c1d37db7b82099283cec1981f0f1

SHA1
fa3b849c682cfd2b581b3dd24fe4ca1738f3edfc

SHA256
f948e131255f9a3c232e3a199a2892b1af9e08d0db496dc2925785453919874a

SHA512
55b4aac0eb136d14eb27c8029bfc47f2b1b57ebb9780774ba41e533deed107e3d92e111713b88b7deabf4384e081e3226751e86086ed3e4e73b72609ba5e5019

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
7890b4d2f6c3278e96b85463548d748c

SHA1
29a01b9c9d6f4959fff6b301f08fc399ac316df5

SHA256
f890e0f1baa0e70a780a32df3e4c4473d9d9e02d5ac746aaf2243126a49ecd2e

SHA512
8992c5f6a2baab7fb2b5d3ef0c5170f5615f12fca0829579b3166df3d492451350340ab20143839ef28c10f485e82ad1acc799032cbfc9ab6c6c9e72940151c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\10551ba5-5fc1-4fd8-83a5-02882ee053c0

Filesize
982B

MD5
631720641d4c0780959a63c23a7b2f43

SHA1
dda60ca03e05d6bbbd5afdc9772975b1b78249fa

SHA256
067f3b818568f2f066f8159e53c1e9fc4745fde61a13ccd7baa74420d50f0251

SHA512
a4a7590a631ca557a592b6011d25423a1a64a5935ee113011f6b5822ba9ce11b83179e328616afd018194ad4f8ee85de450eb31b4d6c7d41b1a959297c0cfdec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\f6762e8c-e836-48db-84bf-7687f4a76cbc

Filesize
659B

MD5
1662dbed658783e066b895fc6b1a9630

SHA1
99425cf5fb65db241583e913e6e25ee72e0c506b

SHA256
db8f648146109c166b697a97fe05351e3a49acf8c7bb48b1a88aff3ac8ae2653

SHA512
5bfc5b82b270b4a2a0a71502ba1091e315335e34d27a524b2b54f61c7170eff72632bba3323497fb716b850aad36a988cc687ede58beeb3dcde7ad5f2e4d3ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
11KB

MD5
64ca469a761b6cd7d3e2ebf51ca37972

SHA1
39586f5688655a2a029fe7715e214dbdc9377861

SHA256
e4539002c67c5acf35dfa9ba335aa9ec16b71bfd63001ec16ccbcf86f2b74cd7

SHA512
d439cf2948e48a7c3a742bb151b61b88818120fc4a871fb74fc430e691b02336b96c2652429db62f77aa1ac1e8377424b562fc8518b42eddf5700f94dd15a53c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
11KB

MD5
e34636f87defbeca5f393e2b9662a31e

SHA1
3cfb1e4375d5de2a1ab79a18219e713e2dbf189f

SHA256
aad21b0fe9b8efa16c2bace45e515869b516ad7da9e819394963f179fb0f2d0d

SHA512
b0d859006967973bf8d89cf2733b32068b56f09edd95e7a1677697416dd17206464d8c175ce11ddcbd47643f7972d376b00ef4f59a96f87952ce69fc061cf795

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
f92e96e38eafed901cb4e4475962e821

SHA1
50f04cf609a1b246c257b42d93c957209da2030a

SHA256
4aa149e9cad7d883d2d2ae63bbae2fa5c00302b7b21a87c1be50db33e4b77620

SHA512
08307160253661d61f7146ee41041fdd967e09932a34b4b7dcd9206bd5b68a1285480dfd91a2691397a0aae292686e2e9c7e22272f4b4812de8b1ce0233d90ab

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.8MB

MD5
7469b060980c9271cf2da86d478b9fcd

SHA1
d9a486e331a8bdb930dfee4248e9cad944e62dec

SHA256
a8e1b2eb66dddfa5950a7847db9cff3008521a475ea77b3766dd54ade4d1d0fe

SHA512
3f2cb8c27c80a2c1c5023bf26359ca3b92d62ba16cf469772b43b4bd0cd87c4be827a9f6079cc5ec46549a75f8d1ef9e7c7f1f8a10034a7a82f23d4a9cc8bda1

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier

Filesize
614B

MD5
6c5a0824951a5f5f9f5f7819e21ec043

SHA1
ffc805bcff198ba5cefb88b11ea9a19c2b8c76b4

SHA256
6bd936da16d4102caa501fc457eeef72d6f5c20dda7d55466b37f782b16b8a9c

SHA512
af0dc37036b9796c921aac06bc2155eda142a32e7fdb9193c15599b8fcd858c79aa1d9b455306325bf3334667d61bb89d67935e1febc8840702214296ca6eb09

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\You-are-an-idiot.zip

Filesize
33KB

MD5
4acd75f2bfeb99226a8c9cc721284208

SHA1
4c5fc527d8825952a6f45d4fcbab3bdb074e9713

SHA256
47dca4e070081df4b70053c858a851dbd720845d4ac579eb5e7334a44ffa16c7

SHA512
ba18b878ad12916ae75dd1f5fbee09bbdfef4776d243fa4e9d7b34a113978b529a242c66e868c52cbb0cab4198d0b356e83dc36355f9452e03e7fbd4e0f9f6e0

Download Submit
C:\Users\Admin\Downloads\You-are-an-idiot.zip:Zone.Identifier

Filesize
634B

MD5
4ab21321a0bbc3973ffc0cb8f47cd79a

SHA1
113af11b7f95a26aba4b52258cf6806dca9319f1

SHA256
a4becee149002759e5c3695cd5579ebb92c37c0d03cd8f5dcf1528c96c33f512

SHA512
5527fa79d34c26bb93c9bd617641c25542d57a55c904ff0becc3895064cf6fafa34787c2fba674a9b9e58d554971bb050db583bc1cc2f31a706f4541812ca0e8

Download Submit
C:\Users\Admin\Downloads\You-are-an-idiot\@[email protected]

Filesize
585B

MD5
f1d17de135333f5be2019d57a58763fa

SHA1
5c2e2a3ec302186ecb474bbd2abd458b696f1639

SHA256
1cdb960138aff4eec890e33172818928250e106c822e48fd647145c1e53340ad

SHA512
2719281ac6459dfbddc0d4c0c581d056e38c9af49aceefc5dc4c9e6f00e8cbf4a60ba307ef77a5c6f7cc2c5bfa20108ce9fae5347a39df60d46f1e967e2ef9db

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier

Filesize
615B

MD5
2279270520687fd8a35f9581dd121b2f

SHA1
8b4dc3d25a0a47680f6cdf8746a76b69218aeaad

SHA256
205801e59fd81578f1b49065e884a2cae4322daa6bbd4a1d2b6b3583c934030d

SHA512
80ff9320da4770791d9e65405f20954d2cf73b81b8a0371f1b748551e7f6a17f2ea598bfa441e7ef62ffba1099eaee18aa66e56c8962b1d049b60fb92e6f760e

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
memory/776-3912-0x0000000073EE0000-0x00000000740FC000-memory.dmp

Filesize
2.1MB

Download
memory/776-3913-0x0000000073E30000-0x0000000073E52000-memory.dmp

Filesize
136KB

Download
memory/776-3967-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/776-3960-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/776-3907-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/776-3884-0x0000000074190000-0x0000000074212000-memory.dmp

Filesize
520KB

Download
memory/776-3885-0x0000000073E30000-0x0000000073E52000-memory.dmp

Filesize
136KB

Download
memory/776-3886-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/776-3883-0x0000000073EE0000-0x00000000740FC000-memory.dmp

Filesize
2.1MB

Download
memory/776-3882-0x0000000074100000-0x0000000074182000-memory.dmp

Filesize
520KB

Download
memory/776-3911-0x0000000073E60000-0x0000000073ED7000-memory.dmp

Filesize
476KB

Download
memory/776-3908-0x0000000074190000-0x0000000074212000-memory.dmp

Filesize
520KB

Download
memory/776-3909-0x0000000074100000-0x0000000074182000-memory.dmp

Filesize
520KB

Download
memory/776-3910-0x0000000074220000-0x000000007423C000-memory.dmp

Filesize
112KB

Download
memory/1444-2425-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1732-1481-0x00007FFA2B950000-0x00007FFA2CA00000-memory.dmp

Filesize
16.7MB

Download
memory/1732-1479-0x00007FFA2F530000-0x00007FFA2F564000-memory.dmp

Filesize
208KB

Download
memory/1732-1478-0x00007FF7E6540000-0x00007FF7E6638000-memory.dmp

Filesize
992KB

Download
memory/1732-1480-0x00007FFA2CC10000-0x00007FFA2CEC6000-memory.dmp

Filesize
2.7MB

Download
memory/2284-2041-0x0000000005850000-0x0000000005DF6000-memory.dmp

Filesize
5.6MB

Download
memory/2284-2040-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/2284-2042-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/2284-2043-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download