wannacry | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r[.]zip

Analysis

max time kernel
216s
max time network
221s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r.zip

Score

10^/10

wannacry defense_evasion discovery ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	[email protected]

Executes dropped EXE 5 IoCs

pid	Process
2412	[email protected]
1524	[email protected]
3628	[email protected]
4380	[email protected]
1464	AV.EXE

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2948	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045295-895.dat	upx
behavioral1/memory/4116-894-0x0000000000600000-0x0000000000693000-memory.dmp	upx
behavioral1/memory/4116-890-0x0000000000600000-0x0000000000693000-memory.dmp	upx
behavioral1/files/0x0028000000045294-888.dat	upx
behavioral1/memory/984-887-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/4116-886-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4116-893-0x0000000000600000-0x0000000000693000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\082e8090-8a9b-4f2b-92b8-b53ec226be88.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241130200148.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3184	1524	WerFault.exe	132
5540	4380	WerFault.exe	137
116	984	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
3156	msedge.exe
3156	msedge.exe
5100	identity_helper.exe
5100	identity_helper.exe
1132	msedge.exe
1132	msedge.exe
5372	msedge.exe
5372	msedge.exe
5796	msedge.exe
5796	msedge.exe
6072	msedge.exe
6072	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe
5672	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5052	7zG.exe
Token: 35	5052	7zG.exe
Token: SeSecurityPrivilege	5052	7zG.exe
Token: SeSecurityPrivilege	5052	7zG.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
5052	7zG.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3400	3156	msedge.exe	81
PID 3156 wrote to memory of 3400	3156	msedge.exe	81
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 708	3156	msedge.exe	82
PID 3156 wrote to memory of 1052	3156	msedge.exe	83
PID 3156 wrote to memory of 1052	3156	msedge.exe	83
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84
PID 3156 wrote to memory of 2464	3156	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
472	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9da4046f8,0x7ff9da404708,0x7ff9da404718
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ad915460,0x7ff6ad915470,0x7ff6ad915480
    3⤵
    PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1680 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4988 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,14755445917831330918,87661538423145373,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:2312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5184

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -spe -an -ai#7zMap32532:322:7zEvent26953
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Users\Admin\Downloads\Ana\[email protected]
"C:\Users\Admin\Downloads\Ana\[email protected]"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins3125.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:2044
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  PID:984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 656
    3⤵
    - Program crash
    PID:116
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  PID:1860

C:\Users\Admin\Downloads\Ana\[email protected]
"C:\Users\Admin\Downloads\Ana\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 516
  2⤵
  - Program crash
  PID:3184

C:\Users\Admin\Downloads\Ana\[email protected]
"C:\Users\Admin\Downloads\Ana\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:472
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2948
- C:\Users\Admin\Downloads\Ana\taskdl.exe
  taskdl.exe
  2⤵
  PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1524 -ip 1524
1⤵
PID:5596

C:\Users\Admin\Downloads\Ana\[email protected]
"C:\Users\Admin\Downloads\Ana\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  PID:5416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1488
  2⤵
  - Program crash
  PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 984 -ip 984
1⤵
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ee1d8b535eb6223506268d82da7b1b5c

SHA1
b4e2e89b2f3d789a9140642f36d4333238780114

SHA256
aa56eb90a1982b447554e16d4b623154f34dff787702ee2e92cabc63810628fe

SHA512
9373ac5f6faee65710f667479896e77f69913de4c095aeff756fc934a4d677f2f3433691bbc49b49f2a86844a156ef39061379762edb7e97ee1933ddb5df49c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
254df8752accd45880eaa44b74f05bd7

SHA1
f17b541450b76cc4402c3e4228b265951d203091

SHA256
6ca05a17fadec9f7ae0a49af026778f36b3038d3038f79777f16e76ee2144653

SHA512
91de664a19d526e3c8356988e4acce4e2ef0e1638e772d0834089673f2097d6bb9a7bf3097fcabeecc3fdceec09eac0b67efafeba6ef41df150cacd97d920f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d96f424be0e19fc9499fddec349d8c80

SHA1
d47689a9115581fd500c144bdcb2c63355e8b3d1

SHA256
29a4489fb09b8f31d29671453b05b29e8581add8868d8f8c4274124660ce43cd

SHA512
67c887e66606b55e0f4a0537ccf54201fca07afb8d72227c1aa3b051cf2d840109df0067af2b4ffca40de43a3338467a5033d0ba459cd69e838a9b5cb1d41b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57df83.TMP

Filesize
48B

MD5
0156c720050cef1779524b31c4ff03d6

SHA1
3ed02afb8483bb51cbf175e1da5f6b5405afe5ad

SHA256
8900c2a01ee7689340627cfd781018380e1b44946b925dea0083eff8f950d700

SHA512
5be92fec277d4dcb0ef401d6c96c950b316c82c5d0769165b4dcd98957b965df3296577f3827191062d3aff32501b0e9eea2fc2153fd3b240c4ba603227cb6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
e1af32f65a51f37b68a5d6161c50e10a

SHA1
5a2ff99a60b6c10f1ec5f5285d8f9f5502dfceba

SHA256
31afef80eae2c16bffe7816ddb007cb81efad6865fad4de2b9fa21dc0bc8bd25

SHA512
096bb08e958d399d5db16fc80a79dce6331c5602ef988ab8b4f960460197265fd695d33e30f0494a9ccafbdc9f3ac51827dcbb4c0067edc449958ac3b350b329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
a4cff91b2e289bf850d7661928c61b63

SHA1
4db7a2027a9b392375d61760f3a5cf879cf493f5

SHA256
524801e85aa5b065348beab81d679fae642aedc7c100004818440b3a51fff24a

SHA512
a1dd92a87da06745eeb1253ff1f47b58d0f89276b351ed58af7dadfc91bca9a00f596cc30f0f99119f6066ed328b93f71db91174149aa7c71da0218251d8d3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe589769.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b4c727d5620b6a64df8a218002589cb

SHA1
45be2739aae75d0f1e89ea53bd9d2abb02784df1

SHA256
98b3a3c8c5172a24fd740c40bc3d2c7b2e93090794391b0e520bbbe3f370541e

SHA512
82cc489c8c0f85e4fb108da34df8a1e8bfda12984b43890c7269e2991b53210b39443b33d040e5147292d250d7235c22ba83a92e963d1ee136ea3036001117cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4c063980174aa1211016dca669a5e98

SHA1
26238aecba0d193f7fff65b7ec3c53af2c101a81

SHA256
a17b624c4553eb8055b14bfa5aae6b5458ea8ede67348dc2e67cc19f95b223b9

SHA512
31e2e9ade35250c32f4ce4bf53f66fc930ebfeb802124424e7cb1ad0cf6c01ac76b25e78f882b934ebc5830334e31c277d8f9cc144e4e3c368233574639841e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e79e663968d90f0bab6b6c52082775b0

SHA1
c4e9836a33ed975233ab3139fe058261b7392723

SHA256
fab43161e85ce399cef8d671250ca46a2c602192b7a94f897aa74300cbfa3267

SHA512
cb4b06de7636b84d3827bcdcc65ee98029d929dd69dca140833eb698806a063a69cc035443f9055a78d42ee6debc06b7f2e248bd8a6cd7b5c77e9c8c7e231144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d745af989f74a83b77d53d4158728e11

SHA1
cf8fbf97f6d87157f7c07f8b7b663b4bf75679ff

SHA256
b0f9a33325bfeb97dd0bd7b175862042cc607406486aeb25969c87d5c72c1aca

SHA512
0570904bd668f3ee7d33836c252965bbcb4fd46f5389cd560985fed7dbbcae903fb80474afa2d40c8a5600fc9bde07c7d9a531c25f61aa1ad4666d6eb917f2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80e4d6c5d18daf50646f2c8d4adaef45

SHA1
5adadc8aa75e1c8ff761d4fc057421b7e3fa9df7

SHA256
788e12f5012e93a22a807e4b103ec1fb77c32ded94c3b941d4596e270ccf4d1a

SHA512
bfbb38bec83e67abe79824ea10a4db3a8e3319f984559446c76ed1d221a194f530a93093bd8e85c43fd862f6cf32eb87b6e373b44f04a57c18f75aeb6c588a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d215009f59c4eee48c787cd86518e378

SHA1
38e452257d0d4059facc954cf6d2f9f3b698bcbe

SHA256
5f30499253158475ea491e3cde4ef4e9bb4e5fe15384485b9cbb57c3f034139d

SHA512
52dc132d3d40e9587fbe6c7d8b4330ef2b39641112e0801311d8d1ffb397d5ae46d4188e0882827e4260e88c533f37738fcb4ee00ec3b8e2a6516467765e758d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
db6b8b401148338be35bb7b45a4fc487

SHA1
a8172d512714a323d3a37ecd0b09118db156d3f5

SHA256
a31dd3af534fa06953b377abff224d6dc41c29b16a9169aaad6b90711dd42d62

SHA512
9cc053f1bbe154ff9eaca50d5f25ccc9f028d96480a9b627875e84ec8896446d31ed6e98e7548520b16ddf4b6ac4f1759a060d0e576d6e0f3429d1f1437db780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a7eb7.TMP

Filesize
48B

MD5
06b05d70768b531657fc236bb54cfa4b

SHA1
4ed38efe0df1016fb737407f8926263478398df9

SHA256
216b4a46bb632738d34b71db0ec312bd31c903b721ec163a44e53a0f9433ad19

SHA512
660ac27d46af07d8de8b98cd63a4fa47566ab3bd754036998b55386131580aceffb2716f23c41eff357ca52c81a7d1e1531da32200de6d372f5ffebcb7e97549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a698bab8fd0430589e5eca3aefaf0065

SHA1
f7710bf346104a20824bb4339d8b71fc44a8a6ba

SHA256
2fc6e5528b2f381660bcf6bcd03c45eb8e672e459d5615dc163ff3040e5b1c0a

SHA512
c9a90317cf783e35019711f16026f93cb877124e5fb70f2270c5fd4fba597c277a10b9e60627d883ee2b3f6262a9807ffdbc30067ae8ba588f6ff1387ab65fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ef78435e4b021a92988fe753d06d556

SHA1
aa1fc98b85988820e174e352dcdf134fbc43ac47

SHA256
92155bfc8f68a85e07df3d089b347154056fc1ed406b2b1355d850a3b261f647

SHA512
2519be0daf102e777c3a576208d2eb38f3a42a245cfbfa070beb15114dbdee281eb83db79eefca65b9099be21b24513762bf8e11a320bd2508f5f71a7d3ec654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a07e2b1eaace83d9a951d15b8f8b3865

SHA1
80c267f0da75e162b07405f2d34a44c8a1da435a

SHA256
819a3b37f069c4f15122da2315fe5350811f2ea2763d2e7970bbe47358753e17

SHA512
23b6d1ea0ec0cf503819a3197f62f1bda03c8dd21a80f8611828b226472c7a5eb55ba71f00c93cbacfc4db68bfd1e37487ad8b7524b90d49690eb870278d8ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
106ed94e8967d3585f49681356b43ed5

SHA1
805c01bc973e3b7ca6e32bab1d33c8baf65c1d24

SHA256
29dd0fbcfd8c993dbf32c46f607e0fe6f77dfdc7977d30c04e0c3a9460f39fd6

SHA512
7ed65f11ee54ea4db001d469cc88f3e2ae41c0aecb9a238690bf1b94992760b47e54a89877d6de392ef819a771e74f21a2b196ab3398b7ef5a80b0acf1ef1740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a3521e95816c0929107f10b9dd255cf1

SHA1
f90b601dda4a87f9bd356ec88e826f5765917438

SHA256
f6e93766437332047c04840faad6e1620c2d804ae200a3a496aaa9a38232ccf4

SHA512
13e862830fe30f0d3e307173300e5970b4ae1a866fcaddf09ea7001834b549cf39eebf773ba0ba1f1ec907ed638e347e4f578a758a1aade3ace85a821140880c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
fdc9f339425c931ed036a981fee1935c

SHA1
fce915f635135199d06866890e73d5b483b4c7b7

SHA256
85b6edfa62a61ae3847ac1897c8a771201b479e8e6998ebae400c08776f179d8

SHA512
c090f87559deffa7f59869cd842502832cc9b89a33b919663362cf4536181dc291a21662b61c1b55614a4d4d2c201890d448bc496ab81eeb8fc0f2817cbb01dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f359.TMP

Filesize
874B

MD5
3042552607d7807908696ea393379e7c

SHA1
4f5c0401a449810efb3126828b603d640ae9cecc

SHA256
8293770ddb07a0da8ae0f8d8308e982f6e7b1e6b8924198c84bddb99dded38c0

SHA512
44f0575c668860cff5abd9a87a69a2ef51dd0f53852b601e1e8129329f57647451dc26e3eedc1fc375eb2c88dfc3eac58bc206d2fb216bca371c990f687fe9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
724d1ab7691fb6e45458ffe335b52813

SHA1
ba44e85e437e20754abece7e0a408c3744c5869c

SHA256
ef5d830b733c729061745b03195d695f8dcc1ddf71f9034563dca10d9c6765b8

SHA512
509f61f200b7312de93f5e787466e02ffd66502c2414a148db77554777098eb7e7f700592bb4a156af2ec361fa73e220c5bc58b64d4ce56b2e62fbf941584d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5d4d07d5d10f79e3d50a3b4727d35ca

SHA1
771df294a0600fcb746bcfaec611bbba910da9d4

SHA256
eff12c4f733d9d11661b052265dc3c5f06aa364b46fbefc57b499bae368aaeff

SHA512
7f89ece5a9c6e33ada7344107ed9bddfedb63e0a73fa2a5c12565d7cbaf31e93da9e62389bfc231c865b890f7f75eb916c48dc0aa031147074c6efe00e180b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
19e313e0e044d1ec5107a0b04fcad433

SHA1
6e23059fc2b94310b5188177807b58f9849b06a0

SHA256
fc997af8245c5cd77e4b262495331f4f9b5a6cb5f063d64aaceba26e82d3ab92

SHA512
4b7d27fe86c4d2f84a7e196c28fb923485b4790f589b4256342bcfed4f30477814222df9a87472cd5e12657f18139100d5f6e6a69199537e92e4d164a5f9a734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c730fd7a57cf4cb86b7526aa5c2db37

SHA1
58f9a895cc93cbb2d89f120ca35f5dc0c89d19d1

SHA256
0842a286e009c1c643e4e1082e7e1ff37a876446d125576c22b928f669d48f0b

SHA512
9dc849f8207a7b98f51d1f22ce6d3b1dfebd14ceb6615b3a162b87d32a417a26af40b19cff7ffa513cfebb939b3155fe9071c67fe3067eb339d701789f9c3681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
23808a4df3b58dbb2cb005e7c81ee19b

SHA1
537ef0ef479429051c648cbb3a2fea9ed29feb7c

SHA256
a266313c54a35b42de4700f4ea7262baa6a9b3d492527a24bd95f9696f39f43e

SHA512
419dbb66434c70f0eb8b1204e6c0f138be82576a30185c02124864751a6d7bb1b335d37670c670e56c4e3286d6aa3dda8975f40d081c0d685eb7197b6c512e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGID2B3.tmp

Filesize
24KB

MD5
033649d7b623b2f8cd29854ccb6d6a4b

SHA1
9772f7b7b11625fc3dea7598cdf5b6d0fc511ae6

SHA256
04a0fbd0b5c3e4f7e3558a3871fe3f3cce5013a330941c3e72b4cdb19c81f2ad

SHA512
90df8c97c8d8062970d76af2235c3ab78208c95c332bbc04e72e2782cb926ab12dbb1098914f453eb7b095ee7dc50f80d4cb96c5931a51a25efb5d91a3c50989

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
be6cbece63cd6337ad33f0b3d51aa70e

SHA1
7126b085cf735b3a6009bb289ed7957a5851740d

SHA256
553e25078cc19e4e5e1a2273900233fe4938b7ac8c69617265af8dcc6752cf0c

SHA512
a2576b9449819c46c4dbb8f09ef2851b22984e24f232fdf9aa9fb7f8ebcaac6ad339403bd6a636456161222fd08cc89f9e5bd3d95decfad188810da4b1e9a811

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3e772dfcb812e8cdf4cd9306f05668fe

SHA1
13ac7ac452e7c095cf913fe80025ff998d575516

SHA256
3960dde93e1f498d9b97efc71e13a445b799dc5dcc272d9aaa14ebcf5addf54b

SHA512
28934259e374ab2b39af2eca48b3bcc49956874d5dd43144ca9a7a4277b3ff8e9f5482e9d0a21bbaf96747c804993efebdc611fdb3b8f79774695a7c0bd94757

Download Submit
C:\Users\Admin\Downloads\000.zip

Filesize
119KB

MD5
d113bd83e59586dd8f1843bdb9b98ee0

SHA1
6c203d91d5184dade63dbab8aecbdfaa8a5402ab

SHA256
9d3fe04d88c401178165f7fbdf307ac0fb690cc5fef8b70ee7f380307d4748f8

SHA512
0e763ff972068d2d9946a2659968e0f78945e9bf9a73090ec81f2a6f96ac9b43a240544455068d41afa327035b20b0509bb1ad79a28147b6375ed0c0cf3efec5

Download Submit
C:\Users\Admin\Downloads\Ana.zip

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Users\Admin\Downloads\Ana\[email protected]

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\Downloads\Ana\[email protected]

Filesize
2.1MB

MD5
f571faca510bffe809c76c1828d44523

SHA1
7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

SHA256
117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

SHA512
a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

Download Submit
C:\Users\Admin\Downloads\Ana\[email protected]

Filesize
1.2MB

MD5
d5e5853f5a2a5a7413f26c625c0e240b

SHA1
0ced68483e7f3742a963f2507937bb7089de3ffe

SHA256
415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3

SHA512
49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

Download Submit
C:\Users\Admin\Downloads\Ana\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Ana\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\Ana\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\Ana\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\Ana\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Users\Admin\Downloads\Security Defender 2015.zip

Filesize
459KB

MD5
1e23b530fefbf0e4c6696ce8a0874081

SHA1
585ae1e314118bd4cbf15d2a66a6b708d2e46735

SHA256
5daf5731d28583a37a7d574d1d32ca89e2ed2dcc448cf0ebcdc6d43bc4981a92

SHA512
2312469eb3fb93f311bf28c14d2f5ad39e3ddd3ad4aa19306f8b276d4f401972fdc5e7659f388c08dacd739a8162b05d06e052f4342edf1c1dd9aecdc32560f0

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Windows\INF\setupapi.app.log

Filesize
6KB

MD5
b24943ae00cb7470394e2d3c61d48acc

SHA1
6693d739edab8acfaa38339e009a45a5138fc053

SHA256
d85a66e49b08ebdabb58ce01bcca4933fb35259d3c04cf6455e6706e330f456f

SHA512
4c5989cd41e04730a54396d21afc7625c8737aa6f82605b2ce7a8451df07893d0593cc5614f51bb00760d98cee7bbefcffe98cfc7916386952db15634b4880a3

Download Submit
memory/984-887-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1524-769-0x00000000007D0000-0x000000000090B000-memory.dmp

Filesize
1.2MB

Download
memory/3628-827-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4116-893-0x0000000000600000-0x0000000000693000-memory.dmp

Filesize
588KB

Download
memory/4116-886-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4116-890-0x0000000000600000-0x0000000000693000-memory.dmp

Filesize
588KB

Download
memory/4116-894-0x0000000000600000-0x0000000000693000-memory.dmp

Filesize
588KB

Download
memory/4380-824-0x0000000000080000-0x000000000072E000-memory.dmp

Filesize
6.7MB

Download
memory/4380-909-0x0000000006240000-0x00000000067E6000-memory.dmp

Filesize
5.6MB

Download