wannacry | 6f200e8367eab016045a8295964728f115d49e8ba0f287b12a8092186aee2bf6

Analysis

max time kernel
376s
max time network
378s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-11-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaSetup.exe
Size

2.0MB
MD5

271269d8d69ef1e0eb683c8926f92215
SHA1

7bf1a083b6fbf0ec9517668f0b2536cb89e8d102
SHA256

6f200e8367eab016045a8295964728f115d49e8ba0f287b12a8092186aee2bf6
SHA512

2309795e7f7a2f25fd5257870a840dad5d482c5e307a9f540829f931fdd84a2c9ae886fe59982deae48a5d849cc11e88e042f8b6f0ff6ba38db76802fbd9d7e1
SSDEEP

49152:UVAbwuKbBgP4bW/rsMOgYf5yBVy96Ggari+0HxiQZv//:4Avqggqzsjz5i3++xiAvn

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9A95.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9A7F.tmp	WannaCry.EXE

Executes dropped EXE 39 IoCs

pid	Process
5028	setup.exe
1044	setup.exe
1784	setup.exe
3760	setup.exe
1040	setup.exe
764	WannaCry.EXE
708	taskdl.exe
5844	@[email protected]
5328	@[email protected]
2252	taskhsvc.exe
1964	taskdl.exe
1132	taskse.exe
5812	@[email protected]
536	@[email protected]
5632	taskdl.exe
4808	taskse.exe
5532	@[email protected]
2808	@[email protected]
5948	taskse.exe
5760	taskdl.exe
2472	taskse.exe
4752	@[email protected]
3900	taskdl.exe
5920	taskse.exe
4912	@[email protected]
1508	taskdl.exe
3260	taskse.exe
836	@[email protected]
404	taskdl.exe
5464	taskse.exe
5968	taskse.exe
6004	taskse.exe
1352	taskse.exe
4440	taskdl.exe
4344	taskdl.exe
5108	taskse.exe
4000	@[email protected]
1464	taskdl.exe
4156	WannaCry.EXE

Loads dropped DLL 11 IoCs

pid	Process
5028	setup.exe
1044	setup.exe
1784	setup.exe
3760	setup.exe
1040	setup.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4620	icacls.exe
5924	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bqvuhzmmkvuc835 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
89	camo.githubusercontent.com
97	raw.githubusercontent.com
79	camo.githubusercontent.com
87	raw.githubusercontent.com
88	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133774618187824819"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
200	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
3692	msedge.exe
3692	msedge.exe
1524	chrome.exe
1524	chrome.exe
1364	msedge.exe
1364	msedge.exe
2600	msedge.exe
2600	msedge.exe
5744	identity_helper.exe
5744	identity_helper.exe
6036	msedge.exe
6036	msedge.exe
5280	msedge.exe
5280	msedge.exe
5996	chrome.exe
5996	chrome.exe
5996	chrome.exe
5996	chrome.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
2252	taskhsvc.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1620	OpenWith.exe
5812	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5028	setup.exe
5028	setup.exe
5028	setup.exe
5844	@[email protected]
5844	@[email protected]
5328	@[email protected]
5328	@[email protected]
1620	OpenWith.exe
5812	@[email protected]
5812	@[email protected]
536	@[email protected]
5532	@[email protected]
2808	@[email protected]
4752	@[email protected]
4912	@[email protected]
836	@[email protected]
4000	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 5028	4744	OperaSetup.exe	77
PID 4744 wrote to memory of 5028	4744	OperaSetup.exe	77
PID 4744 wrote to memory of 5028	4744	OperaSetup.exe	77
PID 5028 wrote to memory of 1044	5028	setup.exe	78
PID 5028 wrote to memory of 1044	5028	setup.exe	78
PID 5028 wrote to memory of 1044	5028	setup.exe	78
PID 5028 wrote to memory of 1784	5028	setup.exe	79
PID 5028 wrote to memory of 1784	5028	setup.exe	79
PID 5028 wrote to memory of 1784	5028	setup.exe	79
PID 5028 wrote to memory of 3760	5028	setup.exe	80
PID 5028 wrote to memory of 3760	5028	setup.exe	80
PID 5028 wrote to memory of 3760	5028	setup.exe	80
PID 3760 wrote to memory of 1040	3760	setup.exe	81
PID 3760 wrote to memory of 1040	3760	setup.exe	81
PID 3760 wrote to memory of 1040	3760	setup.exe	81
PID 5028 wrote to memory of 3692	5028	setup.exe	82
PID 5028 wrote to memory of 3692	5028	setup.exe	82
PID 3692 wrote to memory of 2304	3692	msedge.exe	85
PID 3692 wrote to memory of 2304	3692	msedge.exe	85
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 1268	3692	msedge.exe	86
PID 3692 wrote to memory of 2604	3692	msedge.exe	87
PID 3692 wrote to memory of 2604	3692	msedge.exe	87
PID 3692 wrote to memory of 4964	3692	msedge.exe	88
PID 3692 wrote to memory of 4964	3692	msedge.exe	88
PID 3692 wrote to memory of 4964	3692	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2428	attrib.exe
2840	attrib.exe
5920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe --server-tracking-blob=YmYwZDk0MzlhZjg5NWEwOTg4YmE1OWQ2ZmI1ZTQwZTg3NDY3MzY2MWE0MzcyMDhjOTlmNWNkNTFmM2MyMzhkYzp7ImNvdW50cnkiOiJCUiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249JTI4bm9uZSUyOSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3LmJpbmcuY29tJTJGJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGZG93bmxvYWQmZGxfdG9rZW49OTA4NzY0MjAiLCJ0aW1lc3RhbXAiOiIxNzMyOTMzNzAzLjM3MzciLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMxLjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEzMS4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6Iihub25lKSIsImxhc3RwYWdlIjoib3BlcmEuY29tL2Rvd25sb2FkIiwibWVkaXVtIjoib3NlIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6ImJpbmcifSwidXVpZCI6IjVhMmI1YTM4LWFmMDUtNDQ1Yi1iMWE1LTliYWQzZjUxOTZjMiJ9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.68 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x745ceae8,0x745ceaf4,0x745ceb00
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5028 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241130173639" --session-guid=6e3cc172-c17c-4d91-8490-6d9d178acc5f --server-tracking-blob="ODc0NmI2MWQ2MmM3NzA5ZWU1MDIwNWZlMzgyODAwNGM4YTA4NzQ5ZDAyNTBkZDIzYWNlZDI0MjI3NDBhNGNjNjp7ImNvdW50cnkiOiJCUiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249JTI4bm9uZSUyOSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3LmJpbmcuY29tJTJGJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGZG93bmxvYWQmZGxfdG9rZW49OTA4NzY0MjAiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MzI5MzM3MDMuMzczNyIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMzEuMC4wLjAgU2FmYXJpLzUzNy4zNiBFZGcvMTMxLjAuMC4wIiwidXRtIjp7ImNhbXBhaWduIjoiKG5vbmUpIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vZG93bmxvYWQiLCJtZWRpdW0iOiJvc2UiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiYmluZyJ9LCJ1dWlkIjoiNWEyYjVhMzgtYWYwNS00NDViLWIxYTUtOWJhZDNmNTE5NmMyIn0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=7C09000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.68 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x7225eae8,0x7225eaf4,0x7225eb00
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe98033cb8,0x7ffe98033cc8,0x7ffe98033cd8
      4⤵
      PID:2304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
      4⤵
      PID:1268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
      4⤵
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:1676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11915274860002972683,690203247723390076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
      4⤵
      PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9797cc40,0x7ffe9797cc4c,0x7ffe9797cc58
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:3
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4300
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x230,0x250,0x7ff6cf914698,0x7ff6cf9146a4,0x7ff6cf9146b0
    3⤵
    - Drops file in Windows directory
    PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4864,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4920,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4276,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3764,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3376,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3304,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3344,i,4899427407712335360,1037605020646609267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe98033cb8,0x7ffe98033cc8,0x7ffe98033cd8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6184 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,16172075132447464993,3080745311912641489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:5996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:680

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:764
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2428
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 166951732988335.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5712
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2840
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5844
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3156
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bqvuhzmmkvuc835" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bqvuhzmmkvuc835" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:200
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5632
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4808
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5532
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5948
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5760
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4752
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5920
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4912
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3260
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:404
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5108
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4000
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E4
1⤵
PID:4112

C:\Users\Admin\Desktop\taskse.exe
"C:\Users\Admin\Desktop\taskse.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5464

C:\Users\Admin\Desktop\taskse.exe
"C:\Users\Admin\Desktop\taskse.exe"
1⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\Desktop\taskse.exe
"C:\Users\Admin\Desktop\taskse.exe"
1⤵
- Executes dropped EXE
PID:6004

C:\Users\Admin\Desktop\taskse.exe
"C:\Users\Admin\Desktop\taskse.exe"
1⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\Desktop\taskdl.exe
"C:\Users\Admin\Desktop\taskdl.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440

C:\Users\Admin\Desktop\taskdl.exe
"C:\Users\Admin\Desktop\taskdl.exe"
1⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5920
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
1a5c29dd62e07848983ba0e973c3d2b3

SHA1
5eec395aa2df46f8a81e1fb1577c5cc6e461c8a4

SHA256
12ecfd34a0574b8c90e66317e79ff1c10fac5c79ceeb45ea3e44100d0abcceb2

SHA512
7ad8fc659be34c33b55e1ca81f8ed0725974efdd33c12a09e0b4ab1efbfa2eeba9e4a67908836772fc8d024be7daf5289ca581dd0a0ca473efeb82b23c4b8e19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
d764a7dbbb75f479cb93c6cfbea4d41c

SHA1
6a023f4994caf1f7e9cf577d63de0723dfed8f7c

SHA256
99c3157e95a24f9b53f833afcc81e4f909d92b11fae79f778fb0585d9381746c

SHA512
330dc3c3ece843496ab5cbd924c67d9d2b2aec7dbb9a5b6f101676564bc6112604e9299c82f9f3837cac633880a00d3cea5571b4e7722e441077f713fabdeabc

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1d6a5f1e-1627-45ef-b246-f4d72082fe3d.tmp

Filesize
9KB

MD5
ab46af5f437fd053db35f2dcb3619897

SHA1
e21fdaf19ba0a763d7464537470b8ba03e408c81

SHA256
7f511cad6e8d44f812bfd98a84363f1a3d34f610d0d62e23d29563d9617edf0f

SHA512
186dd3f355924b397c82a103e45fb6030369f4f2add7a4f861bc306c3b05b5870cf57e6d4095cbba502c7ffdde37212d951e37fcf43cae66a39af3d5072de10a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6228bda0-5178-4b69-8d9c-8854373a7576.tmp

Filesize
9KB

MD5
8ca1793230eba9f71cce90f87dafe70b

SHA1
97fd00c998ddbf6207c1d2b0d3605ae632e14a67

SHA256
be989b76fe68e9a61d5a926535f3615248a7cd6d79f1eaa4b6c4a602da3a04b4

SHA512
eedabbbda822769860445463ccff3078f9950e4c2ea86b524c641dfdb5530ee248c386fb62b410b6f33f417797449382e09abf34fae676b6e5368d219a91560d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ef4d84f464d187974e58c51f8e4cec87

SHA1
4c79e19f6e3c390efe36e601a12501b4e29a756f

SHA256
5607ce6c73d4f6a2d3a546725b3ec030610375fff131c4ef651137858f1657a5

SHA512
a7c9428dfef51a43698ec535b6f82d15114da6e959917a4bdb3e81d6f56b67d719c492f73d2b71868611fe62e431cd0cf228740a101d73c4fb7e14ab1e5288ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
acf8a1b0ed88f8ecdd1ab4c5464b28b9

SHA1
14b66dd6aed32bb30849466f44861fce68d73cab

SHA256
8755bffb07d9ced858db46cb137ccf425ec9a1ef63eb23a98e82c49476b99793

SHA512
9f99c831de560f96578cac79f3751dadf002dfec8b3db2a5b682ebe384f71a2d6bf9fd7bb1798484e159bd7570e773e203114ec2e3c3a6daa86ff10aaad9e104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9ba1ad180885a542f6a396ffa372ebc9

SHA1
61ab25979c0b098f346ac29f54cb15f39bd8dd68

SHA256
dddc2e6ffc546a694217371141270cdc4e06004e8f4d584d4329eeffa41b2f26

SHA512
27bd1a5f70344cd549fe06595faaa7ac6a61752ba1f29b0d31a92e9c04edac5ae03242596622217dab53312469ad223aeea12ff1ebb1fef4c4397a7a844ee2d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
43f6266cb3a614ed51dc2a1349d7308a

SHA1
b7cf4921825c97a9d6f9479b99cee1f7e7c019ff

SHA256
64d6a55805338dccdb6ef7c9a9e08ce52dd9e02842db64fee33b782658c7bdee

SHA512
82b0f041971684315a7d4755a9af8bb55c5bda4691d9601c4dce4dff3730fa9094619763550e51b0fdad63cd93cb77b72169cda473de96145a7643aee413f6be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
43c80bd6ab366f03bf3be9fce33f843d

SHA1
da9996e19c1bcee69a794753d0d8f11a9804896a

SHA256
32c6562935eabfa0f96484790e8bf290a6cd131b74267dcd47fc967d09456b4a

SHA512
30a7d2275a06cc23448e1c88a4264ef61b16102b1e1c9fde3a49676a811606724896308acc147e00052605f139cb1adce16aa1434630a5132e3865ae50463bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9c91e426cb5e7e418b49e1e981baa250

SHA1
79a7b722e83c07e483f551b8671d7cd4affd9352

SHA256
4e7a5803d2932bb0957f7ba255f1efefbfe998c460ea510d28fe4c75cf420d76

SHA512
cbe7ef554152728a320600bd5c47b3a115579f42a5cd85147ff187939604ed31437888cdd3bc9a4670739fef212c4206249bd438084eb4f88cce4c4bfab4ec2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
308014893132f03b43eb9a22bfb3c4e9

SHA1
9b755b40aa05b878e86968196758da005316d8ec

SHA256
68853a85e15bd8074f7adc0a56990695c95d5c234b2f4596cf9c46cf6925a4b9

SHA512
be9848a185c64aee53210a12fcc771e70590e5e2de33ccec010ea534e41d8ddc9e92240b60a279214fb1458872a8f92acc015e92faf392ec3330d0987ec4a7ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8d7bc1edb80537e73499285bce36224

SHA1
9172e33c569c0f80bb44ccd4f35d032fc434dfad

SHA256
8e94b2ca0f5941778ce63b864ae407e47c87b235abb82350b0ad28eea1106376

SHA512
eada609b8846d6300694accbfc59c9f652b3bb4b6b7bc8b150c332b3a7ac3c1412c98c2fd9dc12ea835dcc40975c11bd93e2b588cad44a39f660bb68b887d31c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91315cc18c96c65b039d666dff031342

SHA1
b5331c605eb5ba93a93a624b144dac579dd3b13d

SHA256
af533501e6ca88ffd40b77650df40733f8545e4bd7d1f1cd7307db8f4cf03373

SHA512
152aea485ffd3a738d4ad12df1d86c45eca84d80d3e1704911eccb437958e99c94ce94a6eec8b4daa74446197ecbf0ce169d0cb2a437cba6c4026935ca7e1e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1ef5be7e4fc61c28232dea7f53b6e0a

SHA1
8f15ddd943b3e543d7d0c977586b4564145230cc

SHA256
5664fa59e7048e8c7cf93510494d2f5dc476b40d3cb35f73c2c3e08bc408cdc1

SHA512
96cc7d378db43f6f785cde9fe727c60d8b5493a83f3b1aef05cda2950577aab64834d2728ebca23d09a9a5b235d2765a0e73022faf731fe0ddd3547ce15299fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0bdbf83775c5d0b2b5ba34f639a8d928

SHA1
41f979eda9d36195dacfb01982079bb2756f0df6

SHA256
6c4e4c5aebebc609782c9ec38bda852216f5e5d2b7723c958d3d2fce232f557f

SHA512
7a22e8cc3e735f8633f880428924fe9e2590971a9173097e330ea9503525fd011e7aa96439f357730a70ce0277de2a0c822660c1dc47119d141188c2a1734996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a67f4b3ccfeefcfa4245db32622427a

SHA1
d9d6f88035ca103523ff415852a634c12e852002

SHA256
6da0c69cd6b85c060dc4d11350cb19556c0cdea41b785bddfcef1cfac73ebadd

SHA512
3c8d4a284d26974ddc4f872c3f108796331703c901ffb6620eaa25768e47e952ff80429d2ea644dc3fc3f64162f9cd02b38865ba3c896945fd7ca2aaa75a6d15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
583cb6d9ed7cef4805bec12c72c95564

SHA1
5c91aaaf5dc9efe14f96d8aa0519979f9e879ea3

SHA256
bc101817d6b23b12b04a4be2ae59769db0ecd0364898abf84576090d09a12053

SHA512
2683833f1a6a27d5e1c9c39ce56733c1fe8c38f2fd28af7d9775bde6fa24fb1967806975f7f2e6863b48574af1f85ae3257864a488e0507541cfbb6d821c4cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12e5eb12db6b5aabb04905d8c0853760

SHA1
1e98022241acfc5a83de2d7da5e34dd2091b6a3b

SHA256
eb60459d49153bb1b17d37c3d86d75edd38b8f432d8d0062cbe5705c968142e6

SHA512
642a04c489d087e3cbb6bcc13ee890bccbb84d792338f24525ff748416e24ee975d07cee107b6aba37848e0b3e0ce12d4e18cf19b3b94917b8043e8fa904dd83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51a1fff7798a753b91338c2df4dafd98

SHA1
52a4f85741391491389f6acab9314c3f0a994e91

SHA256
718ad25f148c6c1490ba5c1087b2f59182a209ae1833b4273043fdee0d8fbee8

SHA512
2551c5ff770f8d7d723e556c91f6565ce851bc0a6f35b5fb757f8cee3bce4640c115a32fab9f5a1c77d234c7f0e73ae0febb4352ec19aded6dddccc54231c2e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f33238f74b6339351fed4b23c07dbedf

SHA1
9dec79794d76cf30b3bf49157fc5feb76ada94ba

SHA256
299bca37b26ddad8aae4cf6d934f72774c7ab85001ac0bfa1e5316fdd34f8e32

SHA512
17579a13d38afb6bffc89b7062afd15b32eec9602e714788137997b0a9a9cab0cceb06343d918c89caed66ed4a29824969dcd094ecf26b41fa27a2962076afd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aef4395e00de67e4cef3e0d5ac6664c7

SHA1
4012008d7e1602d216259c4ede84fac5bbbbb112

SHA256
a86c0e8186206c05c8a8ef64ba6afa61479c151a6a0e5691830d00dcefd454e7

SHA512
1f097eef0a0f03c8b1306f798e0c19138a8be18b671e5c83bc6bfda469cf36e9a55b5f20335a78706e715d53a85e3ea602f2a63aed101b8779dc7b5846c36459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44311d7e8e21b91fa2f3f19524afe26c

SHA1
2aa181d0b34ae1f8c663f43eae0bf6b1b595eba9

SHA256
f4fb4602ea9e5ef5e3a90a2db89b20ca7a2febef14be8678f2acaa2845a46104

SHA512
805903983bddcb19f6f7b9cfdbdf9b030598f76ce336b3916c23c797fd9578285ede62f8d0fe137461d0fca226dff6fe302b7cc600bd1714b818afe8b43497a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
057a5958de8b32f66dfa4be8f1e95d08

SHA1
3afe2186260ec69ff8c47473aeb64837ef01e5d4

SHA256
9b9755bf6d1005a5128e4a8acf73d47167b3c06b050e1d445521bdbe452bdae4

SHA512
39d28b7154ce4e44b5ad7b362d2b4fab6a6d782371b45832bdb6d1a22eb7de5ae2aea951fdf406ce8f941daa74e337024b86e097d06ee4674e4a1c0e9d47aa41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0a229607414926c62446eaaecf914b7

SHA1
f90177daeab070b6e94e4366b2b67ee6aa077bc7

SHA256
c689dc6e14dfe4ca3e4510ddad32a620b7e2ecaeb2696b9ab0d4182723dc4d31

SHA512
e01d40c65d507f955b1babf7584e343d091011a0f6fb08048edb2f5100e4de8d7a617abdc9a039f32abae995dcc58c4cd7fa7266dcdb812fb69dc0ad039e427e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1429366db06a13644f7fad4c524f8bc5

SHA1
fcaa049a1fe11134785616c938bfd0abd448a74a

SHA256
d12984b851f6d29e4b6dca5ed91a4e5e7f47ccd2abe5b4b885adda277daebe85

SHA512
bd8ed850866f20421ffd632ea21c3efe2d2ebd3976d7edc1bb664ec955391f4c5a7b9a2b0b1a8771acd8d2294e368335410c218125cbc96d40c3e87d90e18098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47417cf174df09091e89a439dc3412af

SHA1
e8dd07818363ea8d73805f73daf589074f707892

SHA256
d7b15c9f32206b5e106c46bfcdefed6f1a0b457c3e4b13faa1f08e8e5e3df2fc

SHA512
5628ca2b0b494d4cb541d3668481c378407870de9a15f5ad0f028e9addf8ab87633f38e80a1155935e0d79f8f43369a325c4b16f375da9fdfc7399a5b5b0cd5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
026263a9dc46446fba734c6c85d61b1c

SHA1
fea82e41fbe40ad72e30487fd337fb169e793a3d

SHA256
b1de429bf11dd3098343d6ef7aed0dd789ea6f434f8d451a2109d387f8af0356

SHA512
e310b72133975f07e9c86de7c2e867fc74194a8243521d886123b5cd83638e65c0c273d43663f9c0a9292ef4d9c1715228aeddda8da7f236890ab4a7d403633c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bef77a4f4c729de1e1694e5bf5aa6f82

SHA1
5c67fd088cb2694ad36583bd85f50da048f575e5

SHA256
2c032382ef3989149fcbf96762a54a5494adf73cc053fe3860664c7c9a3d4000

SHA512
8c35b29d8a99089b08c2f8305c838eef497774532fe6cb1d6236943f4e87c4a10d3341f595e7fec1bbb970160218441da2f5a5cff0e9f0b9a56513c500f7a122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
172fb52a8ec6201e59db70168f6635e4

SHA1
fe1d9ad316602b935dc9a22651e9058128e182ef

SHA256
a51d357387de16e122229506d469e5f7379fd3684c3e3a70615a8cfbe5ad5753

SHA512
74c58fd2bb7abdb063d0344427b5ada321e173b1d3b4d203dbe2795af2775fcf498bb7c1c1e98b3795561887abcac33249bdcc5d311dde234a0df09c24aa1391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16ea926c5ec43ebe245920b8873404e9

SHA1
16a68d543bb12152a65d7f0b15d7a038c8a67968

SHA256
2f2c842a73d2fea2264ff760515d249ba9c094a839d37c802597269b0e2fa8ff

SHA512
ca015bb20d744c31fd424d5c8feaa293b3b164d519b6c16df26d6e79618cb5f44400c73803e04784d236ce8b040f43c994a1658f413a89a7294c70c72ae1dc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
689a16fa3e07bbe4c0e2ec9aaa060d34

SHA1
b8964b8444386edfcafa13fff70843c0edd14729

SHA256
64f19c0714b8b331e537fbe79cfb4acc14134a2cac4b8c49da3568e0f2c3d37c

SHA512
d03b1e828c621d322486a9138773dad39213913769d1a3f62be21ce36d12e81f82f90919b92bae82da41538e3e22bdfc6c424fa91d03ec8164aa87b1578060fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
056b24b332fd8e1522f0662752b2d5a6

SHA1
fbbe012746db3d768578c072d4cd39ed39d47f9f

SHA256
2d6d223f6787360a688fa1c143b5e457c85741dfb04473990031d0a7881bd54f

SHA512
c9371c7adc0cfb94c17937f7f46402ee5312129820d9910fdf16d52e9aba81ee6fd7142ae57f675d5b3a85090d36b207670a20a94d922b6b22766b13e60e5712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d92200757c9c8adc74e5d6545dd39f07

SHA1
aefaee5808e2de48ca479aabdb1814be1c8f487e

SHA256
a9ca46d92395dc2281fde722cbf94b60dc9de0020c1abf0d47c776decc028df7

SHA512
59d10cdc086af8db92c137415b78628bb2c28955dae36d5355777620017f546d3194335b9b18c253b45f23acf06ced55ad7a79ef16805b0c55cf68457df0401f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
376ae477f921193bf659c85e37920798

SHA1
cf9bdabcb1e43ec944dc3f3899fa3c44197543c0

SHA256
c7503004975d09c7458683a0bdfa1d57b694b135104e04a431819146432e0e76

SHA512
5cd6b0ae242538cc4ea135078660d95bc539508e35da8a51e98825ca12c944a048694db0355e649ceb61426a1403b52f4b155f98b50a4d1adb6dd0a64300114e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
9a57a9fbad318311157814aba04a444b

SHA1
aa2568d1e5a76d1c696497045c2d1d7ddecf6fe5

SHA256
f0347d9fbf782d9876852d364c5025529a9fb1d29799e819303fbb6e6f55608f

SHA512
b6a1296ebce33132d70e3f07844878730e7d007ed9d9208f1bf2738317733581736c4c52aff731f5a7239073c25fd4ca4e4f03e6fbadaddb9b3fc85152f65330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
803ad18a64c7d42aeee44a4a5c9d1998

SHA1
cf791a30c09b6b1d5a81f8fa2e18b38a279aa751

SHA256
f307402fb4bd78b5b06ef0c1e4877045f96ab127c3d6d94f141d62debfe3df80

SHA512
362e0cb767385198183b724049052da68940fac775d0b002ca90853f20d729060780e0e210c05bec2cea1c4845189743223e4eec34b5c6eac61a6c3820920b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
b73e9af7f9f6f310734bfa383d75dc0f

SHA1
bd6aa08126a77805c26dd1b5a861a54550489043

SHA256
3a20b6b705bb9adb5f7ee4bc5e2dd84e49fa7c4c1deff859d9caae9713c0aa30

SHA512
759845b7d157327ec731bbf30e06cca2d7d5652c87b37d7c32937adb1995fd10733bac0efd4f5319993f102f570f65be8ad70ab3cca566db5d4bd3ed79327980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
100d3d5b55d5107ed511419cc82c0ace

SHA1
b283d09a87db7ea17b192dd96ebfade35b097abc

SHA256
743417e56e127d9027b009613faf63a453dae6d94324e0da20b6f9b28c6b263f

SHA512
2ad9e86190195b8d7cc7673720ab77b9fed7ca70f3fe4f4bb7bad6dca8a4fc79ee4fbceedd60a921d2fb0665821d0365d43418efd1502e69f6b24b1ed73fb0c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
a711cf66f72695b1c3d09f533234fc35

SHA1
123133f317ad009f815070fe6d6afe4396c29a06

SHA256
958ede3767e91df8b5302863a68063ff0273aef3c40dbccfa39104e90600cd55

SHA512
12f4ed4382b3999096ea2336c21060bd3f47f9497367d9a20c23a75a8d1dd1c32a27a2859c99b97e29f94d6065d86611652a0e51d6198f19fd1fb6670e5f1503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
d1e5be7ade6c7d5d33a8b526954321dc

SHA1
2b6141b0277d0390b52691ba4a5c9bf4c6f4b754

SHA256
f3e5546b478f8b23462368b38c96450e0a90d1eb96bc934f751d1280111beaf9

SHA512
b137063351cbdd678f1b2989cae83e576ebe5577462a2e6094d8e1bf8faa6f049fd78b36394ee146840e3a8d5fff3c61fb1cfa343d17d8bd113394bf6468e9b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
85b9988c750141a4fc5bfb8ab1877de4

SHA1
7efd3dd4089c61eee7dbbbe29de12c2e0a201072

SHA256
0302f3c2fc9d0b7178a4b4b3a3b3fdbea1e529f14f1d730f3f57f793b5a249fe

SHA512
f1ad9310a2f6142de2a82db4c1bca7df4f2994195dd76a42ca8df84850c75daa17d273b2ccd2f99f1d9223b684b28298330c1d14e126548c0cbdced850a03ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
ead9f53416086bc792683294f3e58c82

SHA1
db1e5a3938deeb7565ad9ea75de7f6808508444a

SHA256
6b9b32bf62187425b27cb1849a7ec356564b2cd3ad7e506a2a642d7040f97b5b

SHA512
1084455fee9bdfc5f16301962c09c44bc70b4a5c79d5a8d33658fd07ffc2d25894588452d306b224a08a24a3e84b52278f33f4c49187206010076dc57b84ada5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2c0cfd58a2a9bdb2c4f819bf3c56354b

SHA1
cb35137c1d375746cafbc4926ea329ea65e803c4

SHA256
bacf18616a0bf88a7435f6c95335d3641093b24cd4ed05614dff36e4a032fb21

SHA512
ff9596cff0d67dab876494a875b0cbd340e0caf70c87eb367e7d62d926ba0ea78945b91f24be284ec1211c54eb45e544dd297aa0073006dfb913c7320478c616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
ac18cf7d3d9d1ffc477e918d051977cd

SHA1
7ccd6e3d4a0b69b46d4c8a074ce50814da60bc50

SHA256
3801d6de76394b84dbfcba9b472f3db66583d024cb52c55b0e8c5cbe2648125b

SHA512
3993ca0bf6dc0fb509c4af15e255d8088c8838a6b0fe59d470b13e3994193d393ad21d2b51f9eaf5f874f564d5adf20648034f545ae4fcd1deec5462c57f7648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8d7469b62119c59a198556338b5e3d02

SHA1
6cd8477efaaf60c1cf8d837e30d1c5f18147a52c

SHA256
b0df88f0b2dd882e6694fc9575d80164735405bf9d8d388642d598a8c5df6b09

SHA512
0147729dc100411554b7e832cc39f553d8ead58da927bb4883314dd3d925c64fa7c53480ac7aaaa2b0786e6d79dca8003c12492e748615c80fd5a1583bff1e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
c931e2ad9974067a7ab5c76bb60687b3

SHA1
7c3b569b0b5752163ca6ef6a15a98b280f0771f6

SHA256
fb757cdb05ff37edfcae56d2b5e566c823a76b95585c743afea71e0a5d1143ab

SHA512
7bbdffa64becbc0c8d2cf24327a6e4f3e8f395755e1b669d34cb7089a16a0ae9f250d9e075a83664c436414486a0b95e5a5ba4e721c138c9fea48a2b3ea4eaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
e2f7029048446f768f6283c0931c84d7

SHA1
7bad70dcff74870748c3382518765f12ced73fd9

SHA256
9088c4fa90836201d7ae3149b43bfe1aa90edec1dfa3a452782cce3277f506b8

SHA512
a2ae1bf718d389ee519df0e78c404fc9883b16af6416ddd69fec03235ca4dd7dd0d61d3f8099a995ca2f5778ee536ab57628a61b6d7fce144cf45f590ed2137b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
b8bd4b6fc3d98202b80ca065eae46915

SHA1
deafb2f20c08d3277d309d755fbe602beef9f177

SHA256
d18121b38e88e61e31435337f1c7739559d14341989852077ad479dd22c1ee0f

SHA512
d654514da57daccbe2a2202266e5f34327159a110015f9a37d277959ee1b82dbebf9472ccd0d643f8bd60c395e13002485d9cc69490d9444931a0e45dd4766d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
915B

MD5
6d727760e368f0ac0200946f9229b323

SHA1
be2de0ddaa25900049469b4b57381844d9b992c1

SHA256
d00f6a0c427acfb013f26a97ac22335170e1f6fdc00bd9339e167f05f482acfd

SHA512
1e0bab39e682c6b1a6e66ed6751fd0987c037079765caf125227f0d61ca6b33067c76c805f3974f78414470df45b4a40e402229562ba6e77a2474e8876a270f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b1187b13cbed1b490e79e39019c0e3f5

SHA1
3f63b6bb5a8cfd4bed161627e17bc5ff16abaa6e

SHA256
dffb8a5a5d5422e6e131553529bd2dd1adec97ea95ef3d5249d2719693181d4c

SHA512
69746069482da0cc9c60c949825a132fd145532be8c276ada49058ee464b083d12dae29ed01f406922fda629875c0b421e3d6a0143fff27bcb4021d32bd9c3cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
123548f922320a753911e7233b37d857

SHA1
a8fdaa9d8faf3df3647ae73843778e060f434b10

SHA256
4a17a3c807adb2844d94cf76b54350f94573da43f474862629a668ae613cd7cf

SHA512
deb3c8921d083c75c81945719b40fe3c388544dfe0999a3d9f7c5f5194b746ef46bbc203b35f212b4e32e5c2cf9b58d80c38cfb806147c22f91db614204b5289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f33430928d414efe57418deae2ea18c0

SHA1
ea4594db8248b5600b82bb9187b818391820768c

SHA256
de8c85c1633c86bb6ab56990b6bd5420d9cfcbe88ecb86db245287d26ee0768a

SHA512
e3d0b2245b5ae635be7e732935f390b070f11a3b53b9ee4f6dc10ffa8b04a43f25b73ecae2c9d825db9b44da040694246a0b0445e58b69d64643097484834866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
538a2485a9e3d2e6ae14481e94dbdbed

SHA1
69a319badb7745c8207aa880f9cc08ca1f68766f

SHA256
492fcd902fb254318c010098422836d493a392125948ad92c4d8f9998c900d29

SHA512
73004ac6534b71f28d3342a8a07c026558f57cb81881a021dfa135d70ff50a37896c63b62eddbdc3adb9705d71077c7ece428cae1ca4354adf32152c702fc7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c3232c2efcbda7f1de4f09bae8676893

SHA1
75d9e7728d727830766870671bbcb7b3f30ce06a

SHA256
7ed7617a5dfdb717556c13b03b74e0fb74bc0dcc682ce7135f93638fd4548851

SHA512
eb34bbb8c59d47266d65bcf502898bdeab75b33fc90650d99d8a3229032c6c2a2bef2500f1e0eab9ff27e24fb27e1fa3f2d687d9e493baa8c841f971eb4c6d79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8480bbe3da7e8e9e2125bcaf9852ba71

SHA1
cd06167c00c6bce0fa6278d93c054b51230366ed

SHA256
2c11dff6ec4b33a1ad788c7fefa124cf40d5c8ea84a762770486e5217893f272

SHA512
fbd645c0b8609a0e75d62abe48a66e0c1edae69df3cfca983ee150fcd8d731dac6a2cd029ab33501a70a1667b6a38c9303cafec57d303946b15c41a2de2cf1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
13d86eeee07fbc2db0a87232ba473a58

SHA1
21be55701f1da3b196a6a057ccbb180e440ca924

SHA256
569b15cc4c6b1526c003fd3fcbddb7fb48b0080013d9da872af15aa0b858e69e

SHA512
e4483f80fc018b84be63f98055a9d1335863b8f8489edacab03c217c12f4d22c76d785e0f948d21a5e651be5e56322abe36a66658995867ca901285786b6bb1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d49ba7ddd7837b08063aba7468f090c

SHA1
9bf3558d88883dd87bf2cf361e42b78dcc2e432a

SHA256
c50ca59edfffb6daf44058c43d196e1197d90a7b60e5bca4eff08c69982ad138

SHA512
a45c1e6e9753e001b5ae786093af8df4db578f45b54337dd829ae759213dbe765a577d0d952e6dc118ce0454d36aa41073b4559ed722f0879f3494a94d33a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20a4859a4f28ec423695c34c29c5c450

SHA1
96b401d9610bf6fe652efac26c19d2c98a317fd3

SHA256
e72ff460ba65cb7298480f9db9c49b52a240e51e825da81c4c6174ffd1a6ce09

SHA512
c091a9380c988a69dd058209a579cd6bf9605a9f716a9abe3064931c9472a46e109776aeba73f1547d1ef22c58be2e722332f1b858674f6fc1ad72c5e0e20d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e574d565ec828cea46cbbecbc8251f52

SHA1
893f213a30df696cd448664b87345ed321ea28e5

SHA256
b8acb9367657173e0c46ce15d0e1b1533d304df42a9765313b28c59315924ccd

SHA512
cbbded5088b5fcdfaf6d3085170252555145fb47ac95b92f4ffbc77e18fd6c52d3515f4caee16fe2398491782f062b1eed7590e1a8f6da3d8dec896e212e86a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1fceefb8b069b8e40daf84229f7f5b51

SHA1
ba7006e85bdc412239be2c3f5f3db351e939c268

SHA256
e83ff44d096b4e40ab2b76a67592835c02077f0ce78d50493704d954b6ced38f

SHA512
02a2abaa35c8ec816835e84c4a0db13186f1cacd623a29e19bf89a046e09337ac92cefbe853a48642b8b00ac9d567ca40b017b8894ff236dfdcd71da3ef20eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
fadd6bc623d89bf80a37196328d26b0e

SHA1
c9dc6593c4cee51128a685cce7d00b6fc7f8bafd

SHA256
a72a650a6f90a98bde34468970af2c4bfb3695e033cc470d5d9a8453ed22f4b1

SHA512
dd57d42e08fe288bdc73b8a97fe32fdb7cf52897a8c12e77b2883bb082d07f98de913412a6e1e04df516e5866f27b7f86978a73eeb202e86457901de895cf1cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13377461809897972

Filesize
2KB

MD5
1e503aaedd71d1bfe7eefd587aa3d25a

SHA1
04e7d2e8fa52aa79d77c44aedad197c95c14258f

SHA256
e55a66719c5fa387e5a481cf44803ca07d9be145d158ac6576742a42c4d65e2d

SHA512
10f39f63f7eb6a918bf4a9238d5578ec5cf48d30ac392ef4dcc9ab58a708a9329dfea9350dee216bd18e8ae5d70eb6504216f437848b53a482d26acfe7b1f6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
f73448fcb052e19488d7b2369c0641bb

SHA1
8b424898a5a4b6b1bb7ad8b0004e0c9310bad656

SHA256
cd7aa37f846137ce3da7c8ba12e503978b920fb089427b79b6854f6bcb485547

SHA512
b1077b34a1bfacd85e2279157f6e286a30fedbcf9c2c36d822ba1b810895b683778368967ed1248b7e10804a4bb763ca6695f760aba4bdcb4ab011396fe8bab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
7793c710e271f0267804aa0943be7ffa

SHA1
049cec49df9e01954fb82329e32fc9388deebef2

SHA256
8bd4e7ae1c217eee1cd03cea8651fd2772d6a7296c8cf2a364c50c41b1c292cd

SHA512
96678aefa316313dc199a4e83e0fc14201b6a3ac4ad4314618f1f867dd8938dad8fbcd027b0c9ccba3c40c536010b06e4288955dc852e4c0706e21ae630801a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b6d55d3d8ca3eec9175d0c1d1ae41219

SHA1
8cceaef8baabc91c617871eafda83a24e53d829d

SHA256
3c9943f8d88bac7e4a835b16c4e15700b0475ecc0a235920c5dc3a331b5e69ac

SHA512
91c58425e4470a09dd959ff6c1e49474955241e3cee8afadbd7840a95f84c893ad688f82786a6af1d02c43ed8f3d8c1e2ca64fd97fc66fd738b5f8cf5ded261d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
475c4cea4c63da7694e9b0a30a6b593c

SHA1
fde08e459539eb7b31b90133caa17af164d259d5

SHA256
a38ac865b5ca9a18a054e08ab4ec727150d07f1e8fc6fd3e3f8d395ec3cf5ca8

SHA512
0f989690d0db582c37aa635ddaf1ba6e1f430b9036ce83ff46dcae009136705e9c37b5f3a3b6f5b391a29f1e69e9d9f47813ec658b1c44b42b8c2950e9018c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3173f830a98beddff91587a3ea1d5667

SHA1
20f79a6828eee4b26ba638382e5d5e1a434f9462

SHA256
baeced95dba64d253fc659756b9bf7520bea818085b4d7313630b4136f6126c6

SHA512
1371781e07c4f4256add840031405ec8f388a2011dbab4484ccc38334b2336333f8f60a6294b6cfac8814785fee9d1bbeb3a4d52075a5f6d405f0b655028642e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
495b1770934163e02f3a973f56af366d

SHA1
7eb172e31276c33edc39b4abfe83961f2e67f6f8

SHA256
1358cdcdc227bc263353fb82d0bfe96ca79e034b366f26ef2fb3824962e09fea

SHA512
88115dd68714884d0fcbd555becd9b6693babcb6a65cc1b2c718a3508a4e830af58a9ad8901070c7529865d5045e54dd48d6df96f0cbb52625a8b2d64863bca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ccb559a5b2df764da3d7340b37fca14

SHA1
db3d0e2326c32f01541a0603da3b7c0f709c97a9

SHA256
95465a044fce1e5d6fc333fbc7fb29fedaa2d8d63c82009a2bad968f40255428

SHA512
9ba476767bc4b64f45361dd134419d6347cb164c8ac2a6996a6c45669eeafc928b2d8465cfbe347a07c2efff27737ddad347d742bc70e0baba36d7683d3ae657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
39339d6c76417a680b9e7fddd4174840

SHA1
9954385caab031a2062598656d4995858a15902d

SHA256
293742f5d3461c9add3a7e3d11a5ab6ed0c7c427fa3dc030d123e6b2208842b8

SHA512
7b443da50716d99f52f534085d48b7691160f13a73e23a2e79feecb8d47a147b758215fc8f1c15dd5c4442846aa9d2c5a8b4141e409837f75a2d60126e269c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f7610ec1-8d95-4c9b-b584-7b9bf2879907.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
482KB

MD5
5909137c32127b17d016cf89a75f051d

SHA1
4cd8824830ecc2eea1b48cbc6f7e6380b71a13d0

SHA256
e9b77ac72c3fc07b9317eb1b6b5a7d64831a966b199ace2bcc96b79f6db233d9

SHA512
47cc0c8af72264279de681b71899f4ae93ca40c83fc69fab8c78851f665bc8572ef82a58f435ee6cc4dc90dde96330ae7ead49442f9739c783448e23fcef2be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
cf0d294cba4851aaeaadd2bc78615e1f

SHA1
0152fda0e6898b1373c4a931dba522941a3e5b9a

SHA256
4b49de52958648e5b3fe217acd3404f5d6922230ed92cbd2b83fceb51bed36f5

SHA512
5b98c0cab43c3a5a889070bde918cf792c3bfba5aec474aad8e1cf025c2e1da33c98b9140c018cb4338ff5dee63e7745cdb49bc96b031ca2c00f4fbfd048a931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
d826e690c7472934255f19d8627a93b8

SHA1
df5a4f045650787a30bff266ec4cedf8d8fedbd1

SHA256
d25bb38185c1560f3e3ed4fd89f948aafdd034093eb16a358e26001b580a0379

SHA512
c0bdedbc4cb5f7e98545e1d9aaf32707ea8ac9dd6e692fea64016c71735fd4f71c2013793e07cfa0a60173912c7509e6a67e2bf4a3fb908e3a006f6bff5260a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
f1dcbd6e40dc7e0c9742e5163901afae

SHA1
c76566f9771e0d94c9cf222882bb8a1e95d09fe1

SHA256
b7ec579035abb4eef61a8dea9f5d740593d6a3d161ce05db6e2d030f9d57dd50

SHA512
a36d147a5342fece92f8802f88fe2254826a122e561dd63c1d5be32ea1fdbbf3f5710315b1ecf24a90be8960ab34b62f9f1a7ca65cc973ba337e33d819179a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2feb6a146cc5daa2a8201e64f040f0e9

SHA1
ed01e9420b7ccd172a345ae011d48ad67c50fbb7

SHA256
ae5c48ac56cee7ca565ae580968fa575bd7fd98d8430b085b100c2651cdc1a30

SHA512
f19cd744985caaee1d6ff20bac9ca579cdbe8fa5d21f0611398aa910a3931f2b874af26ac1f36bdabcadfb55d6b8bd3e72ab4d920dd140b5b51da77bca6ff975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4a6362cad0ef612b65ad8c7221c992d5

SHA1
b41efd25f722b585410cde0c213292d688b0a476

SHA256
3fc6d651325f5cf3550f5f9585732e31abee53c799d227c2075d5732060c9646

SHA512
e0a7f9fcf79dfb06edbd9dba1e53bf49a8ed88ac6d739c7848d7f5b00951daeff1ae22257df632ce1655b9f41c514ba6d9749ee23d6ba700cf9902285906faea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f04e01d080678774c458c09255116120

SHA1
76b97e3d47970d72175f164b1529a94f6fdaa63d

SHA256
20943323955b0e4df9aa199eb887edd74f6309d049dd049c15b121b7d82ffcd3

SHA512
bcfe885f51afef24b2de1c31b807523fe7727b8ac447b3965b3fa3fc0f5e29d43789afe0c2632ee149bd2b558e8153271e0ba9007cc22b2149c8457f280aab7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
223ac200fc80e0c00f2a39e57a72b4c1

SHA1
a54f95bd9bf7248556363cb7f12f84100795f8cd

SHA256
a529da1dbc9a3a0a3380d44865bac62f8e7f7f63d9a9290bc1c2fa468d84a7ba

SHA512
0b40e1ed5a5a999127944160439997ef36c519ec878ce8ba42302b40b825a401ebdcdc9495b7ce29b901336c5de86830d081bc747a425d96ddfac3f12450ce62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a1415134804928aa282127d1f9695079

SHA1
880467f66895c222d896378f8fdac37a04bd6f27

SHA256
c0931d17189d796e235043b6e0149fece3551c59979ac08cbec63d1d7f04692d

SHA512
2ecb106605e0fb0b57600305a25f28bed54206e370beb0c7cf3d30d78ff44aac988a363aac78755e1d001a026dc2f58317494657024249facdc6b858dd53db04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS882C4747\setup.exe

Filesize
5.3MB

MD5
0f82fa9c0b49e161711a09f08656ee34

SHA1
aa34bb01c9cb1fe586a0fe9857465d8768743c81

SHA256
2143cd5fdd9cca6306c658fe443cac958d7815ea6c126ff176f28a6ff3ae0a0b

SHA512
f61e9e7f341c5a65ac3956006b30e3b6419df790a13512281b1687b14e0f8efb9323246935c3788749db98e444ec7532be3806a5a3cd3806c4fd8e0ed6697205

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2411301736387575028.dll

Filesize
4.7MB

MD5
9389caffd24ecacabaaf8bcaf8c39298

SHA1
0607b3a19b1f213bfee65422ef9c645e4ef1cac8

SHA256
7be59d30452748b6989887ea9668b239fe131cce3a60145075b3a122d09ff59d

SHA512
9f5a89300a5ea734eae6b0a6e986549baa8a1abe3aaa176e3dd64b3dc2bab4b52cb44a7c897ea8e1ad7cabf8adbfa2fbe866823ef2d23374230a2b4cc1ea47e3

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
774025c3bab5c22d3f265a88833003bb

SHA1
8ea39a90b27f976bfa7d731eb8c65d49ac59a5a6

SHA256
e0e7a650b3fc85e7483f6dbcf0223245b3297f5fe16dae50998fa8ef3cfba23c

SHA512
bee9b96389c816fd079e12b2374743e557fe8ff20c4bdec3cb47cbabbfb530b3fdee06abb5358416c14f8b551318ddae4b4b0d71fae92eef2141f04160abefec

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.3MB

MD5
cb666c90fc71b5e134fc64588836964a

SHA1
f5ce260d69abe8bebc5e7c2ae1950ba88332b62c

SHA256
51bab88ca1de566f4e0bc1db1ed2c7a649daaaf024c2d068f09f4a0cddbbdb01

SHA512
08c8a89488e61ae5e6fd47fb17cd5c0e943f3f8d94d4ea2cec7c2b23f28699539604701875f9635ba64b4a9a7b1cf5cb866f36d9fe28058e1585a0832449d384

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 600021.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/764-867-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2252-2078-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2254-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2235-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2216-0x00000000728E0000-0x0000000072AFC000-memory.dmp

Filesize
2.1MB

Download
memory/2252-2211-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2188-0x00000000728E0000-0x0000000072AFC000-memory.dmp

Filesize
2.1MB

Download
memory/2252-2183-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2134-0x00000000728E0000-0x0000000072AFC000-memory.dmp

Filesize
2.1MB

Download
memory/2252-2129-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2126-0x00000000728E0000-0x0000000072AFC000-memory.dmp

Filesize
2.1MB

Download
memory/2252-2121-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2099-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2079-0x0000000074230000-0x000000007424C000-memory.dmp

Filesize
112KB

Download
memory/2252-2081-0x0000000072B00000-0x0000000072B77000-memory.dmp

Filesize
476KB

Download
memory/2252-2082-0x0000000074200000-0x0000000074222000-memory.dmp

Filesize
136KB

Download
memory/2252-2083-0x00000000728E0000-0x0000000072AFC000-memory.dmp

Filesize
2.1MB

Download
memory/2252-2084-0x0000000072850000-0x00000000728D2000-memory.dmp

Filesize
520KB

Download
memory/2252-2080-0x0000000072B80000-0x0000000072C02000-memory.dmp

Filesize
520KB

Download
memory/2252-2073-0x0000000072850000-0x00000000728D2000-memory.dmp

Filesize
520KB

Download
memory/2252-2075-0x0000000000BF0000-0x0000000000EEE000-memory.dmp

Filesize
3.0MB

Download
memory/2252-2074-0x0000000074200000-0x0000000074222000-memory.dmp

Filesize
136KB

Download
memory/2252-2072-0x00000000728E0000-0x0000000072AFC000-memory.dmp

Filesize
2.1MB

Download
memory/2252-2071-0x0000000072B80000-0x0000000072C02000-memory.dmp

Filesize
520KB

Download