wannacry | hxxp://google[.]com

Analysis

max time kernel
1158s
max time network
1160s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2192 created 2848	2192	taskmgr.exe	156
PID 2192 created 2848	2192	taskmgr.exe	156

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3ECB.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3EE2.tmp	WannaCry.EXE

Executes dropped EXE 64 IoCs

pid	Process
3104	WannaCry.EXE
988	taskdl.exe
2720	@[email protected]
988	@[email protected]
2960	taskhsvc.exe
3656	taskdl.exe
1012	taskse.exe
2848	@[email protected]
4960	taskdl.exe
2004	taskse.exe
4980	@[email protected]
1672	taskse.exe
1152	@[email protected]
2660	taskdl.exe
1680	taskse.exe
4260	@[email protected]
4804	taskdl.exe
3936	taskse.exe
2904	@[email protected]
4520	taskdl.exe
2004	taskse.exe
3548	@[email protected]
1632	taskdl.exe
900	taskse.exe
836	@[email protected]
2072	taskdl.exe
3616	taskse.exe
1624	@[email protected]
4232	taskdl.exe
400	@[email protected]
3384	taskse.exe
648	@[email protected]
3368	taskdl.exe
4580	taskse.exe
4892	@[email protected]
1616	taskdl.exe
3820	taskse.exe
488	@[email protected]
248	taskdl.exe
1808	taskse.exe
5016	@[email protected]
2076	taskdl.exe
4680	taskse.exe
5068	@[email protected]
1380	taskdl.exe
3340	taskse.exe
4524	@[email protected]
4716	taskdl.exe
4728	taskse.exe
1076	@[email protected]
4244	taskdl.exe
3340	taskse.exe
652	@[email protected]
4896	taskdl.exe
1016	taskse.exe
412	@[email protected]
1372	taskdl.exe
1492	taskse.exe
1392	@[email protected]
712	taskdl.exe
5760	taskse.exe
5768	@[email protected]
5840	taskdl.exe
2928	taskse.exe

Loads dropped DLL 7 IoCs

pid	Process
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
488	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykbbwuyjdr767 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
3	camo.githubusercontent.com
4	raw.githubusercontent.com
110	camo.githubusercontent.com
115	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784624212297475"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2156	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2808	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
2924	msedge.exe
2924	msedge.exe
580	msedge.exe
580	msedge.exe
3584	identity_helper.exe
3584	identity_helper.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
656	msedge.exe
656	msedge.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2960	taskhsvc.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
4808	chrome.exe
4808	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemProfilePrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeProfSingleProcessPrivilege	1320	WMIC.exe
Token: SeIncBasePriorityPrivilege	1320	WMIC.exe
Token: SeCreatePagefilePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeDebugPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeRemoteShutdownPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: 33	1320	WMIC.exe
Token: 34	1320	WMIC.exe
Token: 35	1320	WMIC.exe
Token: 36	1320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemProfilePrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeProfSingleProcessPrivilege	1320	WMIC.exe
Token: SeIncBasePriorityPrivilege	1320	WMIC.exe
Token: SeCreatePagefilePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeDebugPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeRemoteShutdownPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: 33	1320	WMIC.exe
Token: 34	1320	WMIC.exe
Token: 35	1320	WMIC.exe
Token: 36	1320	WMIC.exe
Token: SeBackupPrivilege	1128	vssvc.exe
Token: SeRestorePrivilege	1128	vssvc.exe
Token: SeAuditPrivilege	1128	vssvc.exe
Token: SeTcbPrivilege	1012	taskse.exe
Token: SeTcbPrivilege	1012	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	1680	taskse.exe
Token: SeTcbPrivilege	1680	taskse.exe
Token: SeTcbPrivilege	3936	taskse.exe
Token: SeTcbPrivilege	3936	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	2004	taskse.exe
Token: SeTcbPrivilege	900	taskse.exe
Token: SeTcbPrivilege	900	taskse.exe
Token: SeTcbPrivilege	3616	taskse.exe
Token: SeTcbPrivilege	3616	taskse.exe
Token: SeTcbPrivilege	3384	taskse.exe
Token: SeTcbPrivilege	3384	taskse.exe
Token: SeTcbPrivilege	4580	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
2192	taskmgr.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
4648	MiniSearchHost.exe
2720	@[email protected]
2720	@[email protected]
988	@[email protected]
988	@[email protected]
2848	@[email protected]
2848	@[email protected]
4980	@[email protected]
1152	@[email protected]
4260	@[email protected]
2904	@[email protected]
3548	@[email protected]
836	@[email protected]
1624	@[email protected]
400	@[email protected]
648	@[email protected]
4892	@[email protected]
488	@[email protected]
5016	@[email protected]
5068	@[email protected]
4524	@[email protected]
1400	OpenWith.exe
1548	OpenWith.exe
1076	@[email protected]
652	@[email protected]
412	@[email protected]
1392	@[email protected]
1392	@[email protected]
5768	@[email protected]
3740	@[email protected]
5496	LogonUI.exe
5920	@[email protected]
6104	@[email protected]
5464	@[email protected]
5956	@[email protected]
5220	@[email protected]
5432	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1612	2924	msedge.exe	79
PID 2924 wrote to memory of 1612	2924	msedge.exe	79
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 2084	2924	msedge.exe	80
PID 2924 wrote to memory of 3588	2924	msedge.exe	81
PID 2924 wrote to memory of 3588	2924	msedge.exe	81
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82
PID 2924 wrote to memory of 3832	2924	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1148	attrib.exe
1080	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc597d3cb8,0x7ffc597d3cc8,0x7ffc597d3cd8
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5784 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,8425271791612047585,13311702251171071952,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7008 /prefetch:8
  2⤵
  PID:3296
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3104
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1148
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:488
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 112461733988267.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3784
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1080
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2720
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:5108
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3656
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ykbbwuyjdr767" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ykbbwuyjdr767" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2156
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4960
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4980
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1152
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4260
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4804
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4520
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3548
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1624
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4232
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:648
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3368
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4892
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3820
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:488
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:248
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5016
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4680
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3340
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4524
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4716
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4728
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1076
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3340
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4896
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:412
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1492
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:1392
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:712
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5760
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5768
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5840
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3740
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:1128
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:5600
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5920
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5884
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6104
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:5460
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5464
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5372
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5136
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5956
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:5148
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:3888
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5220
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:688

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RevokeRestore.css
1⤵
- Opens file in notepad (likely ransom note)
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4904

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4876

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2504

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\882f1f18249f4f41aeff86bf2f9b7755 /t 2320 /p 2848
1⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc59afcc40,0x7ffc59afcc4c,0x7ffc59afcc58
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1624,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4368,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5048,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:2
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5056,i,7135313606974034776,3174223614774487321,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
eaa8e9cc5b16dbdbacab1b3d5bfb135a

SHA1
de52e5975e08db56552b1d4e9e50e01eb0b8d714

SHA256
34edb7fc31e61d056a1f5517e5983a3c9ab251ee8bd009ee6b04085f76675fa1

SHA512
38c02b96f9308c012f7787a5d295d32af019bb66b6df88821bbae9f13ef3cbf933eaf95a03de6c70c5437bed668126719a1e69e49057254b3a70768350092bbf

Download Submit
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-2499603254-3415597248-1508446358-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg

Filesize
62KB

MD5
6cb7e9f13c79d1dd975a8aa005ab0256

SHA1
eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

SHA256
af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

SHA512
3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f69e70ee3cb4400a427de22786d7961f

SHA1
e181bd04532b0e9c2195721bf33970a781418c98

SHA256
2d9a4802a38d9437531ae61b7acbad0589307b9436dd2f271c3cb89a2fd0afd2

SHA512
ed1c6b7acb95d4c2939021ec7fffd2bf955f81d94a0a7656e3a9b25b17202fb10764efbf8182d98d1c522fefbb176d154898f101346a59dc47517d44e30f4d08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6b71ac2ca8b3b788ed998801cc4880d0

SHA1
b6f159175a4440028d852be2176d0f24f8071b38

SHA256
f748332afadd31b148812ea261593f7cc04b38038485b5afa455b9e06afae8c6

SHA512
c30f2cb988287de16d6a992560eddb5874f8cc7b5fe9496461fea2d65cec9bfb38439ec583c3ec8909555309b01e5377b5d31dc612da56ed420fbcbe957c4c39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe65f51a.TMP

Filesize
96B

MD5
24447c00129001271ef2d55897e55c59

SHA1
e171cb4829133732ddb451f4da21f7292de23c33

SHA256
03d7d3f0e54a9b61345569886e01a1712e261dbb39d2dccc368ea0ac382894fd

SHA512
79981e115adfee85bbd7528e9494ccc1aafff925cff9700904b92dc4dc557f343c8ed11f7225b2258ebf10b49e9c0f522acd357924f18defa6271377d67ab09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3afc58fc3deeeadd6841f1aa29d7d855

SHA1
f5959da269705a048c28b398be845b745fa8a207

SHA256
9aef50c0ba140530f4d1c0947ee48340189a105901bc4a8e2396fc2c8d0d4876

SHA512
16068d48af784ecd7ed70eb3ae129f1c1384acf2fccdcd32fb13bd7d5ddd7f5349d839b6e185a75e180be1f2b1529e37e1b692a2d68dc49737d0f6437e0581d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dcd45a9740fec11efc2f86b18cb434dc

SHA1
c0d8318db31c14b7dd76d38dce2d8e75d709e4a6

SHA256
b698744cb691402719d0fcf25dbde3efb76edc9eaad9d02d52131bcc30985044

SHA512
0987dd53be62f44e96adf0f7136953d9da99e07997c5276e1edac1fbba213d9fe409a35efaa66ca7e05448c906ffec6ae0213ef6d84f9b9eb141aa2a295d3f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7cab356484de7dd70cc3af239908cda4

SHA1
521ea7711033033a71d239947c118bb386c23f44

SHA256
eb482e26e36ea4a007eddb4d0be12014d0523096bcdc6f791305553e57f0f1eb

SHA512
8b9c9679c50a33a4ed9b99765a91f0c7067bfe6c84c45c3ea3628cca53582ee1020a23d7f1e8789891b8af6a714b15df208c28febe8c3a51a2b61bfbecdc8fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
549940d7b03a1a50bfc80a02bbcf46b2

SHA1
1e2097aa90c51785920dc6a26abcd34d36f0a1c7

SHA256
e638d4564718b0d9746be3ae3503eb8cd38bdeae1b828dc2402fbe511e439ea9

SHA512
20cc02c39a24c99c2c480917d16e3b1b04546f6aacbf4153a68b3069327de12040ad944c04b6cc589e7db8a71dbf37acd9dcf6787ba7da616c174acd3d72f549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
330e87629ff3def034bcf48433784f16

SHA1
48cb8a02cf4e9051843d18e27e362a376dd125cc

SHA256
7ea29925ef25439584a9bab51713cd6194ff39d6a9ebe556b1e694656858a711

SHA512
de66d57eb0a8fd9fd9401ed03ebc413c130a71b21d1146d49dd0559ab4d449d5769b8b23c790eb37fb01eddccf5ac4abb3fcb72bcd3303d10be51a00bb41cbea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e35e9fbff55ff90be0a5786591794a6f

SHA1
948c8803e8583baba9a02e3c243ed5831dea6483

SHA256
ea87a9b065e880f25c15af0b718ef60cc4ddcce7aa1311c01f3dbc2d9559f6f9

SHA512
5eb395d9a9c1d4936aecaeab960677d349ac09ed752448614b0a0d5354dcee82203c10fb65664bdc438b8b70a7c4108f92a78dcf567a9f956f5bb449298c57a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe65f50a.TMP

Filesize
48B

MD5
09b2e9b6f468642ae70d4e5d80309619

SHA1
2f2c9fb1673f8db5d0481df33417716df4af3abf

SHA256
3d86381863c1efeab7f6949f71df87f9c7ce1c02b288a9d97512104282ec3f82

SHA512
57c9e0bf51ac50e8fc9fc3ad19bbc76be51622df651e50f060884819db8899f0e56e15bb3f080038fd6f5dc9e87c367ec820f24b746a7cdf8c9ce7095ed9da12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
e8f806c9a6e21c2d8b7b9f7dca8cff36

SHA1
94c9002b93ce4aa1a6ec95c2ce3bcd65165340dc

SHA256
b581c27d27c84111cecce48100e766b86705b5c0a94aed08ca9eb9ea83d7145a

SHA512
896fed42e4b2aacf6e0fd0863ee9cce17553b9869d41907d5e56c1c5c078e54fcfe252e840de2c330b50da64ac3ef2a168e72adb2c07ab78662cbfa16a981936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
53d3207edf7ff7671e85a2832bc97015

SHA1
c836af3eeb4b9cb65cd67abde25d37900e6851aa

SHA256
9a206e93af2c7c30ff6e8eea8025d9ce0e6fdb3a3245c0224947a0335c35436e

SHA512
f4e396acac4a6b692f13d38811515da599e8ab5e8fc500f025f51c148998645400569a893f7a1e0b521d36ef25f989f94d24777505a8c87d4d3beb25468e76e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
72KB

MD5
c861786c0d01072429140231a1801ac0

SHA1
0acb262c35123c6a716a12b2aa0e7d5f663b9675

SHA256
414ebca0b2c0d8afba6c5b6fc8ce632b4c194f3091fc2e655bde2dc01252a660

SHA512
9781bdb30b85c0715da582f24ca2d72e4b8e31a4dd6f3399bdac87a12e6d8b024dad48d240201298af31542b750f4a6a1ea1c8bca3d8b3efa94b87dce58e16fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
484KB

MD5
743b062f922c20bbce835f414673b355

SHA1
444cbbb49f390bd49897ecda90f405c6b74c2ffe

SHA256
6b3eaa1111001fbdb116a36e084f7e27c5a98823199ba733fdf8dd885fd46f0c

SHA512
0d7f38dca1c69a9daf7dd183955c8a602f4ef8fa8589dac643764fbf51eecb3096d8eb65ff02fb7a279c467a97aafc2eff29afa66f4f1d2d1c343f56d333994e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
52KB

MD5
c4043dbb4e827caa618a0152560165ca

SHA1
f826d5db6722d6a0c7e7299dfac7cbd7ca271bb5

SHA256
67c43dc44ff55e8787aed2109a8ac23d4cc7f4dca0fa09b0b8d8e2de6b75baae

SHA512
8704d6d556a439126e1242827ecd248433ef7819051991aa5f60bd7f095fc1959414ae28356fe0079f1c6e44d2a76bb7bbfa46c5242aa1b0576b8940560318e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
74KB

MD5
74ef20edbe23aa1c52c3a20d85497f06

SHA1
39a161d50cec2a101514f45b992e83e26104095c

SHA256
b2d2cd3e7d55fc32fa225539497d35305113edf836ec366b93af8efbbec10c1c

SHA512
8428bc36a07940f2b35fc75b0e48ee8384fb0b24ffc58ebef9cd8f794c9ec33b617f17358dede560a7fbbb183869665e8c8950422ee34e29c60be0bc405fc4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
108KB

MD5
6f2ecec8606a6dfcd3c87d8ec199cada

SHA1
fdb16efd9f553fdd2d94565a5b174b6a32646779

SHA256
0fb22b0581a13cb370a4225a50a49b44f1137176c6b5957346e646781941fbcc

SHA512
1f1d29f69ddcb74484040df2ed18c7bff03501d5365a10212fac12f04145d50b1c52a77def2d1aa0e06244c6fdd22876e3efd92784f92d46eb8f5f3be4c666e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
23KB

MD5
780ea0d92bf7896515a7dc5f7678ce07

SHA1
c95b6bfa9ee20e514b2d5dde8977e3cb53f97f24

SHA256
02a6946cc7e4fea77751623e3ab4130a26d4363d6e75c802835b124659db8c21

SHA512
f4adaac26c47e0179f7ac0aecc16b12f6323330816759c9bd473224587bdac4b388b2ea5318bd07ef781e97566d42e3df55d8ba8efddf5c02f0e9e3888f32d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
89KB

MD5
021122b8f3b84053f0b4aefcfc844754

SHA1
3c1a227423ef4092d9408f03e14bf59dbcb273ac

SHA256
07e9c8bd4b8032dacf9400e3fbef786caa1b5ae315cac6f9c45f6377c486f787

SHA512
37d6ff47395f19f685f62d410ce92749c37a78d4ff09208817a618654c0874c8302f173ced69bdb430c37a4007cc2c201fe8093b017c924a4e124744f9260d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
49KB

MD5
d32d3bbf5b190f9e3b093bbad55220d8

SHA1
823b03885aa885c8dd6c6487a9930f417d6411a9

SHA256
caa70892b9ec5a6df1c058b84d64da633727f790601daede11e9a322baa88810

SHA512
f50b8e584bb4e331786c00e77e0e8710fcb8a3aad36ab7c67f2abf12659b337cc9dfdb91bfde19e34b1aa8094c503e91b67980a6ff090d2d499c1d759ee08a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

Filesize
31KB

MD5
925794079366a08819ffa50e62b3a574

SHA1
f4f83a174c5399371004197659c0e8107a2cdbaf

SHA256
e14b6b87c472df9caa1c206abfade8503f3b9d44fc7053131e023be4b42601a2

SHA512
c268ca8b428ea5b6a5869bba5335841d4bb70721cd3b93ea4f2687d1626c5c7cfdaf8cfbed417e4c644a1b6f4b98e00a11e220d97682f2a77e86b5ee4e71b7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
18KB

MD5
355f4cb55cf3649df1279aef8226d09b

SHA1
c42037863b9952e959962b37bc695273a0e5e4eb

SHA256
5a9f7161c918a8f1ff42a5a48053d0fdaec37432524174e23c7527d82d826312

SHA512
a365babd3c5f31428eda72c148cdbce32e807600d28b195bd6d2396c1e953bdb335a086d46e35dfc767ca2b16f961fba508e537ded618b24e68e6f6d8467e846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
127KB

MD5
055c8802c35adcb732a9b243ba1c9f3c

SHA1
b70d60a1825f94dad4811698da31e484a015ab31

SHA256
b66471ea4ba1d59d2299d6f35cb41c0854ba2a546f932c2f60e8871c55eea33f

SHA512
d3b33acdd7b069e46db7069c6e30eabede2a560f88d300c5f5fb23f53a0c5b92bb3620f44d17e0f779cbffbe4f8f130379c40838bfc9fce82b99da043cc05afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\05cf05598c8c9087_0

Filesize
19KB

MD5
06967d01c79e4cda38ed991d17b2dcc7

SHA1
fab141dab7a4899ef5eed8bb117e586378563550

SHA256
838dcdaf36339e7c068d0bf307bd5c47615274491e25eea6336421149a8c9559

SHA512
2ab138ac758cb019ce7112c79f8e5eb8e1b629bb0eded3af4d929e17dbbb4dd52b4f1467d4e71868daf2bd76681c45037def35271d2ee58bb2c339d29c9dd18a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0b6d0407e32758d5_0

Filesize
278KB

MD5
870992e02839283b854f5696ccc25ebb

SHA1
bd3ab9e479f183e10182e411b84fe642d41f53df

SHA256
27046b36a1d3ae9ecdb246376136473997b07fca3ddd4f0acbc0c59d1bc9b2ac

SHA512
4c5c1d4f2d18ffc6f12bfb218d229fae0c72b473263fb01a482d0e819c325f57a1a32a1f8e06c61192040dd4ccc92568129fc8d04a5787426317d41b59257b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\39293c4cac64c73b_0

Filesize
1KB

MD5
83a9b800967872984f6b1c29134ed363

SHA1
e3917d0811a9a0b51ad6dbddd3927bd7d1155394

SHA256
bc722dd43da43b8fa74eeb24d95435ad08dbfcf70d100b8794c10f7b91c054ed

SHA512
0bea88c314b132768799129582593e049fbb4fc999f1ca4f4a01fe693ab2946df92e4fe84663d59cf9e71bdb86a0ae0a4ce03ba17204831d641bc05edf20a7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\430c72fe3a179b50_0

Filesize
341KB

MD5
3fa72c042b91cdd2dddfd471e2e06eb5

SHA1
15d848ac4bd6634cffe00f478d3e20f6e354e2c7

SHA256
b3a608bca2c21924fe482201361bf09286fcf83bb959de74d75ae34d3154d6f4

SHA512
7f00571ca13553bb48981c47afe6a4f8207837f39dca09c792289f762838ce4cc549072162d386223b75d8114aef04d6b92bf621cb23461c7adcea7c1cfea34d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\538d1dbdb6dfd54a_0

Filesize
352B

MD5
5c60c78fd356377ebd3833d76c40f6c1

SHA1
dca16611026e80466a3af2c3573b764d5cd28d1b

SHA256
57d9fa6b9b25a9f718fd352c4b45865b463da63ca2372dc32856ebd21c12ca80

SHA512
4378c70ae7c94072caeb456931cea480960cc2e9014ee2777c3e5a7c1cfeaeb99517e3b71801c53a83baefccc3ca918bdc9f911dc414dd68f324032aab00ac84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\661b323d4e8fc51c_0

Filesize
20KB

MD5
a4d85462a49ec1fa3b78f50a94b9fd2b

SHA1
404dfdadb892bd82df1f78454bef5fdef05dbd83

SHA256
2500cfe369202d3c0cfa163fc0f7b5e53127df08ddc8467a026943a2fbf9d542

SHA512
024da7a6ddb1ca2d5d335bf732e606708efc812f9304ee86bbc8725c5ed674ea452237c0b9bed636bfade5f28cbd9fbe64144d6c1d2aea8b56cdea3832b28cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\70f11c44dee0b9fa_0

Filesize
3KB

MD5
868c95723fe6da3594d74c0c3a4a1ba0

SHA1
15e9a8cb31354a96c11f1bcbbb6d404e548844b9

SHA256
e6ca1cbcfb22405778872e9174858184f816578a8f8f99407ff700f6392833c4

SHA512
008150c1175f28960ca67bf89c5e18611fa90c2076a9c652e6bbcffd4e39b134105d7543943322cf764283059ab2e173e8c166c9a741d3967565d926642ccc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9738a429f4fb2daa_0

Filesize
4KB

MD5
34a1346d30c3726f3f4db3b5a9914167

SHA1
7a74f94a1403aa4537268a46a87bdf559b6f1fef

SHA256
dce79a53e0cf27c9692d617a35594a83b595d6c575ea4022578d85e4cc53d3d2

SHA512
f74e9c82ad80bfd92c08afbd4aac358f7465d599eac8821d0fb26e121e98d05db5fbf87f376b40ec64ae47443957548885cb5f7fbbb1d0da7b5f9aff42343ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c219c5001baa8283_0

Filesize
3KB

MD5
35f5d43db730bb1dcc25b372ef4545fd

SHA1
d135b448af6acffcec52e5c485e4ccb366464734

SHA256
f84439ceb6e8b451fe61630788c5af88c1be394a7d8d144ef483a7af7f67068b

SHA512
fd9b048b7df3b437227ac1d5c8ca4f52df9d34984ecfa467fe58d03976bfbd028034ff6fe7052c546cfb55d77cc2dc7ade545c5fc4b2d4f1a1d4a3516bd29022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ca1f2b28bbee227b_0

Filesize
352KB

MD5
27d56908c3fa8ef673fd5ab8d40e3016

SHA1
1d1197b02a45b1cfa582cfe1cc98f4ab37634ef7

SHA256
00dae30d8d27b6399c871b405ab14ef833fe8ba931b87625a99a9ba6fbf97e27

SHA512
db197da5cae4e88fdf01320a11551eff07276c76c976098e00d00eb66619234b999d907612172334beca8549c9df039173327a7b310c529dad8ee275960248ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f040714685f606d4_0

Filesize
1KB

MD5
b36fc107640581de35d16864a1cd4b51

SHA1
a1b8a793637285e88fea670674e5fd0bb91cee96

SHA256
8545b024da52f5777620f09125ab32a2ec1dfd1237525123eba7329acbc4a852

SHA512
8ccbbcedae40b998f8169e9cf899ec5178c76565c63dd5b55094ef623feeb41be44a595e8bd4ea4171dd8db0af7a7346184f7def2e106608c4c856b13d3ac0f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f14a2983a76cdacf_0

Filesize
2.0MB

MD5
5c33393e5c6788f470c82a211a25dde6

SHA1
28c651ab4749b1f7e8478e620767eb6dbdff8e84

SHA256
834fa40920c07caf03c80089ae8145a8f6e992d7a562307793d1d48d29e45549

SHA512
27e8b5c9b86b2cd6b0b99746646bb87d36c39e7ffc57fdfe5c8301442fb5aefaa5680267d33300efdcbe614b92bb3eae7d2de070aff8c8a443c371c6d3bc6b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
99b47094dc67f74cc3b9ee44f70c1ebf

SHA1
32b6a3e0ce7b4e959767fdfa9c9e6cb0cae1c8e5

SHA256
52a85e8b2d418ce07dc81dfc2804987d3f73c91ba93e92b4a038e4d8b0fb4e43

SHA512
7d2acccaea3f84225649a3b395ac76c9e683a6f61e978e4d153ffef63dbf4e123b7f23ff9308e9bcae9c33f6daee3a5138926151c3adc330642822ee865c1354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7c692a13f847089a6848c91ca22d3a42

SHA1
b29385f0c4480e29f1b7781002261507e9da11ba

SHA256
88656dd4057a2eb1a652c3895b5d1990ba3c85cca1a56916c29f69ce45ba8498

SHA512
4f9a0ce3048288447f03cb6616caee3e98f9d4fab308ea87eec3ead57ecb355562c5b2e986e82f904f15dd71fb59673229ab65b2aef76ba75b77edddbab303ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b571e5bdf54ac9f49473e265ad08d40e

SHA1
493678bfa268b2af4786e0b3bd050bfcf14e50ad

SHA256
b12b5ee568dc62c0bc492af530dd12e34de2dcfd4a05807cb43c2fe407e3d764

SHA512
2d11e1c74cfb9d259de8fa8c0f4a49471695f9346c623591933ee8b536c3adc39376faceba823ba706a1d2d4c9b4f053f8c1a1832d69e1ffa5f579037ed55432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
19f051fda50c55e8c0100690f91f13ee

SHA1
32443a2ed1c101cf331aaa8dd9229bcd06aa3397

SHA256
b19927fd88bcc5d7017e8e8b18f5a14b73b9704ad9634a510ee345e2ca06dd14

SHA512
5383ec7836ef901bd30fb7c5e225ac99a8793018fb3f70fd0b04e8702076080cb48316d420a13be25937ce5dfdf9eec01b62947a64d3cb78a28c4ba15851e54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e1ab44e6a3c655187aaf121774034caf

SHA1
0e359d65d5254a42c0eb98453523312c995c9dfb

SHA256
12067febab13c37380c3b8070ab49ce86de3a2205090c95b778227513030ed04

SHA512
631782ba395fd640cd60274737990410dcc38001f313dbc776d42427f3fdc6a3f0c83d4ccf957f7ad7f99a5695630f741565ec3fbc6790fe9c025943c26990f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ff457275be1bc6a967105a98630bbd7b

SHA1
f64446878b07142e5249853f459e3fe7d0aaae31

SHA256
12290cd9dde397374b479866feb5ee7913f38865cd8bd9a1654b3ba33f021559

SHA512
1fc6857bae83fc0a545734841946e191895439465588b473d2e1be8118e7a0944efbf2b2e086150d31788a5bc470ba590feee0de139ab9cccc53d8343c9b4fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9bf62b844e6d6b579a841d0ed6e28d7b

SHA1
ef0ab09f3d5bad6ccd21362aa24e012b1f00b26b

SHA256
90d0b0bba84cbbf3dc384d370da98c43986b07b4ed94ab47f5763cf466dc98a2

SHA512
41dd422359c16bbb4b041fbc0b3ad5a19e293e5e6f11cee6eff4b1325cfa0f38783181ae3c3a1969c869c1f2c0e8a8956f75fa8c512ddb945528948be28fb4cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
7e8593c2f5142cb647c13f5d1f422022

SHA1
d8d95d2d6f8d5ffd2c2b2c84fb6676ed8fcd00a6

SHA256
3b7f8b85aab65a46e8a6d0ee32d3914f5b7729b79811f90f648553fce0afcbb5

SHA512
786856f0c597ccd2e739adda114740d0a4323168da4c8a7bed417fbdd3994449ec719963c6911de048ad9078edfac09506fecb2cdeab914605134cdab4a9e8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d29709b80df2b5609832ee6cc653513b

SHA1
00059fb93bf965df71d0256888a9116039fc84b1

SHA256
06fa69da913f0da70054e5332ff80afeebe9c1caa1c7b32a796bfcce2fcac7a8

SHA512
6259fbc3f9b2940622993ad3ae904da570b94eb48ee900b29324685a44e760d8bb8afd5c73dbf67120cb04edc5d5da7c1a860691b246a70dac0a2f1fb3c6abdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
10ae7c6a05173dc358b790c31b1497cc

SHA1
4fd689be2cb5e3bc786fde5b8502bf9435465c18

SHA256
c05feaef02b75a3f459654ac0aa5173788dbdafb8c9ca03f6e5f51657533e30b

SHA512
61e50a4be23e20f690558dfe212685cf537654e50a453689582054105dcc94d95925cb35a72f0384bb1f0665e77bff7472cdc594892d88d0dd8f2faa97c56d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
8f5f51c52ec4751d490da2aa0bd73593

SHA1
ceeaacd37a7448add5d3c88f16da45b71263b6ab

SHA256
2a91bf38890dc79937c8592a4ef03446a1949434b4e43915c4c5f8d66f373f49

SHA512
9b82e795a0f3768a52a944156a96e27bce76db1792bc11756bebc661e99bc0b213891f50978a29ef0c255bf8d040bb6ecf3621d2a8f9c81c0f69d223c4c75354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc986206f295d3f46bc97788cb8ea785

SHA1
518c4deff8117e839937b1dccdb49f654c9d8546

SHA256
6f6e3f2aed03050b20ea682967f8844496532777bb3e5d9e005d5026e050fa2a

SHA512
8867dca1853ace35ae2d95ab428504af07a39258ffc5db5684a7541f48c00987029dea8655b3e6502cf5baaa5ba06292d6f22c0003a1e0aceabc7f5c9e5a28a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
293772261cc38e29bad76f47ac3f5713

SHA1
8f8fa400c59a4822863503a5e5803fb5f7d1a765

SHA256
5a0c2be5bd30aea7d8bb6a5b950cfdc4011f39fc4f064571b80a2ab55f7fc794

SHA512
f21815cb62858465818fc55af250a4e10cd2194aad1953d63bcca549b3bcd52eb7c3defa0a80cdcb89e1ac1cf5e68e915521abb5cf522fa44736ec0a571460cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5b37ab87ca068311cb8003bcf474ad52

SHA1
18d0c4fc444d3562e93b8d3de1c93783fc48ee9a

SHA256
f954bab3d22075b8c50f6d8bde7fc8dbbbd4e8c71a3f4647f45fab3268cbf90a

SHA512
63a7e6c0eac83ea37db314a8b825430a3b3b92f0d571426eb6f33aa68aec219916e4c0144e104696c65479eb12cfebe033bf75bc3527adb97072604bfef76946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
50ad0b47f150d816cb12e627a33fec98

SHA1
db8cfa1e5d7ccf88ac4cf1da92442eaf4c091732

SHA256
49f82a30b1841d5344bb03a5f9cf1d96a77b34cbfaed746ffe6d7f4900d69332

SHA512
7add4b56eddf50133e6a1b32aaaca8f6343851279fb71a49474f1290e082dcf7ce40af3ff76bdb7ddbbd39c3a7312531ab76eb7433cb76d5a44221738498e03a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f879e9faccabad299a52e941386cfa38

SHA1
8e4c4bdd932fc9c8bf211f877601b9aa8f1e5652

SHA256
4046783e0f75746ab98cb1c16d31038b4f2a69f34c416946ea78b7ca4953b9a4

SHA512
4110223993ea84aa756d4685dce8cc2d7f943dba7c1ab4feccd1a7b7c5fddd0ecb14ce3207d31d2233bd6fe9b90a56a0240c2bf40912888e408cc680ad72be2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6df4f882584a744d21204246acb27339

SHA1
07d1a60a1c331ccac1383858d5ef70d1abc64500

SHA256
764913ab7f2416846c545ceec3c653398cae165b4075fcb3ba22826cb5c383a4

SHA512
ac0f28f034c635e61a2f1686e43afa459147c02fb151e032ea9080eb4403a0accbde2b75cb2e001c7b900b664875207cb2728c5277b477a21e7926a6dbd6187c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fb97fa7ee528dae82d8b9f133e647039

SHA1
156ea990c5672890adca9a5cc4932ff4f6fa61b9

SHA256
50f0e7c919accb5ca1455487af82d484f21b15b7dbfd7e85e4549f52ccb119a2

SHA512
a700a37f1b3f8a2417173aa47a8142349837fc85987a3d21c46ffd8c8068458e2271c3ace233e44a57372d704fabdaf4a1d4c47356da5e02f33256f22512dc0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cf572bce0fe987a4d20b0415235c634b

SHA1
d6e9ec1491b1ccfc74fc481ffbc59584c9b7a34d

SHA256
84df4ec1ff1299483c945cae3ac669b2cda87e3aea112a24b2de6b436060bd95

SHA512
26edeafebbdbbfdfe83eb1507908dffecc616a8d540930a71c3f9bbbeefe3df0d433bba7d3398ab3a96e3b257f3fac548eddddae1a585ce93d94ab17ae3394a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68b768462aca2a4f6330af29be2ea5b5

SHA1
4a4b52c4fadb7af9c1d8cfc7eb2b852eadca223d

SHA256
3fdc3ce18843f61bbf911d47f0619feec336e022b45207c3aefdae85f8fad371

SHA512
c2be210ac261f1de96e160b5aab99bcfe1e1d37df0a5af9e49e25df51980d67f01b3b1e1c494c6021b6053b9c036d903f3a802676be3751707d0e0df6af95eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
952822c6c9b65950c390976c843c64d7

SHA1
6140990f76b4b5a5c041edfef3491ad70549aec6

SHA256
64a47a7c6d5c7ab4d88d1f073591e9636b43157c98ffda9b7e73e33fdbd0c386

SHA512
87f4b2908be40e85017a7b624e03ef69848920b6e7e71004230dee4c2d335d943e679ce87f4b56a1947bed02f9060ea6ec86d4391753e41c755b16526fce1bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a5c551b535bae2fd0db4f24f9b9c988f

SHA1
d29c33588216b50d3b6f88125c99060c6c8b2e64

SHA256
01b980542b7884cfa5e44616b69747d9cdddf93b170c8b116b6fc82076020c72

SHA512
17333e150b8e56f41d08e567616e53657b8807f146194d401547cad0e5dce34f710400bb9fea9022dd1a873058cb36dea849f8f2dc5462e20742a8c8f792204e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ee2bad67ccb05039fd91c131b486bb8

SHA1
660e0b53a9e66d460f1b5e40f6c7c95b0cf6ae65

SHA256
009b363830a5e0e3964bd07855d43bf357f9fe35db420384bd4be0f35d8a27a8

SHA512
8588cc121f5dac535ac36dad207338c3dcd3925723226b308b453a0dfca0f7b19f2b5c89a729b999444455e486e29e13e20f8945d4475bdc9d5517e4d6a93eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
387ade4eb65148744a94e5ceca977489

SHA1
0ec1b9e8b68b384356e6c893de33d1cdc2dd3331

SHA256
2edb79eef99a7866b63143280d3f4f7eff0ea7d2ef5c537fb8f215de6dbbf7a3

SHA512
27521aa91092f10eacb9f010b081a108cf9300768350f8298271f62148476f0861dd602a8d971605b076ad1db0a22b7ca829df5d9111a3a2fefe9de68e780e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2886bea3f00427ae8d4114850e98832a

SHA1
096749cfddc85d20049d0b96bc579825997659fa

SHA256
f1b63cf87d3e58807790f29afae3c688689e6ba104d33413e6eee5f3c6cad4d8

SHA512
b8d629c200c81fe45ea3fe4f24e7d7e333b62a04ad48254c9921c7636865d1277b9d255821a38a740c6dabfc0c75aa52ef7e25d1669fb06bc391accd462f7a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc36d0b8828c6a6564bc6b64556f3bae

SHA1
d1e3aad0b9c0cd9cd71f7b86f82fa8be42bfaf82

SHA256
8539f35c1c9996b8705d068acf2ad47e6a81b99a015f5a997d3b7aae55db6e37

SHA512
5ef19d22707898550d9ef535a34ec236c33f04f039cd734c31dac61faed0437e7f1d64d9b9d73cc1e52443dfcbd58d64265f985f81acd850bad1c82cf5804699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
60b299af3a08750013e81346c9a6e84b

SHA1
19e9c33bdd1d8fa1e56e1f39f5500eba0fc1cb1e

SHA256
e7fdedcee9eb061376cf159d65190eb217e9c5ea088ec580a09ac74768b1531c

SHA512
23b455c4f96e8cc5f8c1f5d2a823db3417a5e1917bb67c75a7867dfeb8b892b398549e3091d48763d0641e37294ac65d098646d35b7954b331d7a3f4c9f79977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ce2c8f359c79887013cce21698138433

SHA1
56e13f31c0982578f9850b6653064ac02068964c

SHA256
ce27d030cc17b40ed54952c0dcb79e188a0ca8b592c3fb7278f9ea0eebdc1307

SHA512
678e6a2518b1ae0afb2a0956b0b0a8810642eda5cbf12a73ff7edc1fa73fbf0790f2cc49b5e6136650aeb02b1a093edec185f95e3dcc866f18815520ad456d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
25KB

MD5
18d5e95f04e936ab5886ba19ad0c94bd

SHA1
94ce3ce136f91de90c3631368c15b3ea1b0ce164

SHA256
832060fbc6275398eea8cdb51f90cdbd3a22b5ef4cfe375ecc55b1bdae363cfc

SHA512
e57ea39d86905adfc421991750b9967e673cdb126fdb6a1afabef48652baa1342c394183b0e521514c79ae53a36cb1d8ceda3861696267055869dfdc92a48bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Filesize
57KB

MD5
407ab22ae8890697fd35ad345a182fd5

SHA1
f2b7fa294f533b399fb6cacce580005dee429e49

SHA256
cf247b1869a2c5f48cd1cf8122920c2d9bd7445183fcda9cd1f513ebd8dc9bc4

SHA512
b425e405940b61c8cfad386cab696a86f2a54a497c65b75aa94f16296022fefad5e1a8515a65d33c7d45fdc17496229a80d771507f670ad6a3ab4b5b1b9a722c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b32d6840ca442598f644c09d9e15e308

SHA1
a3fe85ad4100fd31f4384f88156d384a0c0f2810

SHA256
303fb76a25ab71f6893ff237f9539bd2b98cfcddaf8b0f4e88592d5800517aab

SHA512
2fc343c29d5a3eced04af8cd61006212e99c34508af512d6d3d87014b436e911e984a29d12a06458734e3c28772209f4b92f60b6800cbaca09a254a6ca8f3399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5af8c9.TMP

Filesize
48B

MD5
f19e3d2b5382e9c5ab69b515c04866d5

SHA1
b241570da658f7914c995c949ff7070f6462e890

SHA256
a1051bd16751aef396d212a0eb78fb06857b3ee3f4af8d65e00f3468fee4e5aa

SHA512
4387eb25e970fac4e60a9ee724c3ab594f6e100a582ea4ac4383045703ffa3c3b5c96fabf0672d3d519b1c1f9eb58d3176f59686e4833576819fae552bd01874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
560f988374dd820133496af610d48e38

SHA1
8cc474694817036af7fcf48299dd21f8f313a377

SHA256
67f13dad4fef84254de8e3192c1af98be795c5166d4aecb48562f77e3e4e6560

SHA512
dc737075223d89c607e0dda76600b5eff60c659e7f28a31a9d847dde759896e989b441f51013b0b7ed7fb57f29d3cdcece7c84de784c3dd7c253b131278b9066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bcda809ea8f78c59e3e4043dd6568d54

SHA1
64eb3e03e0b9d346fa83b797f52892e7657722d0

SHA256
83eec9b07eaf8510dc21c5f3cf065fb8e1ec8873a040c03c227c11c7c7d70317

SHA512
4acbf60054f151c88140a8a3fd9734141627b3f436a5ce72c2669198643f6a6a91a76284e67ca103ae4110658fd2a701a787e8347604481b375053a44d060390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40958dd078b0f5df09395138d83e5ac5

SHA1
bbe725538c5dc8b36643f4bab595bc49cb6c4402

SHA256
d9c026bf2f3898dc77d8bb14cdd440317f707591db2aa43cb7b9259b1604b4ef

SHA512
52c3d28fa5634e86a6ecb573d37c802f260e27b1300a0278ef234b6d181f27a0e82294802911f5a0995f69578452c8784ce5e78b2ee29fcb2c24fa8aab2abaeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f10a26996dea040900e82eb0bd3a7846

SHA1
95e206ea158c5c530b1c058be35784bb642ee52e

SHA256
d64f87de23d587e34474ccfff0526ed9743ce6e4faf11013221579e4497ded28

SHA512
d982ae7a6a0bef0d3a3b411f29bcd4551fe3da1413c3a3685f145fb429f7e015c1fb5d13d24089502737f617a98510d89ce02f2574ee1a184616fc647ad89e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9259e27094c31e1f76f2fc0bcf20bacd

SHA1
9f58c548bcf12f728ddfc329eedaa1d8956b17c2

SHA256
d2827071cb5e029aa409a74319143f647465f0068ce8e11505fc0df445bd20e8

SHA512
782d9fe0a4c1c6c71368f96af33a9185ab2c6cc08ef1159239c963ad151b05166cab8d03cabc5eed4f292dfcec9c32b11fdd9d61e4f2677d97b58ab91c678fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
649c7aa59c30b5401a2f1387bacde857

SHA1
0f8a7613fb6d21a8876495e63f1d1c5bd2df51d7

SHA256
fb4b28cfcc3683d298002b3a8f201db27eda20b83cf85bc516385ca25a8592dc

SHA512
758bc53983de3d1ce183fcda18aac4bb6a3d072750962c557809b9492a3e7bcba96b2a2b6d7b615754ad6ed32ced53d4d8f851a810ce4da4bf5e5b8f4dff6e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a54b5eb7d2807685edc56093bde8caf0

SHA1
698b973146f3808c37ee3a1922a2da9904eee9ef

SHA256
0831877c1c6a29f46b0bbb18182387bf5c721c79b9edf953a26180fa1fbd8367

SHA512
0f28f0d1bd5a97cd0a800bce704eb9559e2b6c5670a35e91eef6bdaed75a5be7761cce41346764c5fd71f31d823147ca5b100a98ca5643680a0d2e3d78147493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
816792d9675e1382f6d50727ef4e8c59

SHA1
d8b6b281f0038aeb4f42c472b529b3626db80f44

SHA256
d8912effb0bb2466f4d694f8cb0dfb79a9cdd7bf52ec326b826e46c2018fc2f4

SHA512
5a7f6eb923f904fae2d9d225b3d149c53966edb0afcadb763e9bd282ca0e0efe837a90bdda5401b8135389a138c4bf7b98d0cad9266d08ecfa6c7bd2a16ca0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fa0236bd86b3c226d5c815a8cc6a9dea

SHA1
d2abb706b9c521b9c7774c2ef76e5ce655babb92

SHA256
79e4ad3a60a7620b5b0810386fa345a6c852d3f13bf12d009866b64a03d0d84b

SHA512
05bf02b81e69a5d26cfc22ad776b4e719b368126d8bbb320de285393ddd6e1de545c86347f34d3767beefa97affa02bdf35fa79bd46e1235d51404f7406b30b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cbd77304ea73ccbf5f9d1700c0b7af02

SHA1
472c6a985e00c0070a4504473a3e50889e3d56f3

SHA256
2f7793a90bbd7ccb2fe7596f44c1dc4d5549be1d79a8f9bde4fb7b3ee348ec9a

SHA512
30b4f01b164c751d669df3aea1bfeccf915a161b15907cd6401c2f55b665575de63d9bbfb277c1ad0329e7f4fb15c845fee81b9ac52ab20e828ecbd3814eac15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73cad8e70f8f5ddd30c8bf86a70f744b

SHA1
6750553b73581f39cafd1811ec943158218ac39e

SHA256
27e6465ff4c7fa0d775655a384c00bd68355b30060f16b34911e807bfdcca249

SHA512
4a86bbd45298f6183f254b34f38865ad6a2982ad7fce92cffe88a5c1c9ce37c70c96a6153ae2419b6ff7b6a7a878d98ea311f45dcc3f40017adf78d459c6aa29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
79e9aac2179614bedbbd3ef8b95e5d1a

SHA1
3fb06ba363a8123acaa2f96b23348e30cbe74927

SHA256
ae976f081f0360fb8b97cb4dc7d90c251c9a1dbdbe365262cc37d2a9f642bd35

SHA512
0f43d4be455b50fc929ba3d20b2d4e6f66c8d64c74de12da6093e5dd1cb9fa2f291b3a303cc6f2c97f2cd69e6aba61579ec9e712ddcdc6757ffa2ac02a49d3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef17e2c0fe75c262add75959173feb7b

SHA1
fbc2547fe439df6bddf27da8c64b11970fe10082

SHA256
6f365706d1e42a9bd45cc3084ef7a344724b840c4c55172db96864b23532ee9d

SHA512
d9f390a9dc92700a83f4ee6651e7cf41821e2596a0b3bc9f86a00d884c78fa6c393c871fb1cae9a0501277763465beced9b87d875fbc3cbd4e5e17a4b3857ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a2aca.TMP

Filesize
204B

MD5
e8c22af1049a4fb20119fd1ec8666cae

SHA1
25e46f4b58c5a2d48300cca6f4f41857fa82f51b

SHA256
f247c060727a7c15345ef805afecae356eca23df4a2708b28d5135e8f3eac790

SHA512
5253b7caf74dc90933b8dfac3ecc5490f4ea53e91f6334b5a8d62c2d26a715191dc7282b0f5348cb8d5147aa3e3e17d9215456b3188f32209110cb93d68ac7b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
250126840207be3d673b4d165b13715b

SHA1
04f6983dab2329fc615ef4a8cd719c8f2e888cc2

SHA256
ff95d8d88805edcd48c6ac3692914a97c44f246dba6a3ead47ed699a3bd06856

SHA512
8b5db3368367f6022f0ab6b8119548e0f3caab55c06aab1fc66f3e2c71017bba1e9106373d0df4df74ecf224a32b064fffbbc4bf54377b9ab74d3269c677e2f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e376bd3232c38d7620edc1685ccc212

SHA1
dd2ec854ebec63dfd232e9227a6d2530ab0d7fd0

SHA256
f2fbb4ffc2734d1d58ec772d881023e7f14eddd2d576554948e7f4c6403e936d

SHA512
ab49c917e99aa67a815b5d9128b79c083bde1276ff169a9781d3d7e210bdadd61edf2a1224767c69d60fe9e9e497bd60bfdffb573196998bff5a09a9377823e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\58ab4e3d-6b1e-4a3d-aa08-af0033302374.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b5ec1c651d538125bbad8ae7b5878883

SHA1
fc51a9862cd962c1dcf92da77deca73aa79f0c04

SHA256
7e4836c483ec272727cb1e69f6d1769be0f8ea3783dab5fc6846bea18f8c5114

SHA512
ce915256b7339ce5ae8c12864b66f8c83c4ef31185e46d5877776a4fb21ae18a58c742af77312d54ca77f42d33c63e9b6ff868c078d11d423dac4b72cb599f2e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4fdedcf-8646-434e-a3ae-e8bfd637fcb9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4808_378553680\36e40484-d9e5-489c-a631-fbf23187ae48.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4808_378553680\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
20.6MB

MD5
61ff0db02f68cc2257a4b0a980ddf1d6

SHA1
977b835d80ff7473b09cc7d7cebaacde5e8866e2

SHA256
935a123114b27ed93836492e29cfb59aa68f79760c700fde62c921f0407b3805

SHA512
d54a4104a8e3551c6a9da6595fc08a64f0f237f3e1ccde31d859f1408b4a0e4434ae847504930d9c958101fbd9a38c5dca5080075af42100e15498d4203ecd2e

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
memory/2960-2703-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2657-0x0000000073C20000-0x0000000073E3C000-memory.dmp

Filesize
2.1MB

Download
memory/2960-2659-0x0000000073E40000-0x0000000073E62000-memory.dmp

Filesize
136KB

Download
memory/2960-2660-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2770-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2768-0x0000000073C20000-0x0000000073E3C000-memory.dmp

Filesize
2.1MB

Download
memory/2960-2763-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2755-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2721-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2718-0x0000000073C20000-0x0000000073E3C000-memory.dmp

Filesize
2.1MB

Download
memory/2960-2713-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2656-0x0000000073FA0000-0x0000000074022000-memory.dmp

Filesize
520KB

Download
memory/2960-2694-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/2960-2687-0x0000000073F80000-0x0000000073F9C000-memory.dmp

Filesize
112KB

Download
memory/2960-2688-0x0000000073EF0000-0x0000000073F72000-memory.dmp

Filesize
520KB

Download
memory/2960-2689-0x0000000073FA0000-0x0000000074022000-memory.dmp

Filesize
520KB

Download
memory/2960-2690-0x0000000073E70000-0x0000000073EE7000-memory.dmp

Filesize
476KB

Download
memory/2960-2658-0x0000000073EF0000-0x0000000073F72000-memory.dmp

Filesize
520KB

Download
memory/2960-2691-0x0000000073C20000-0x0000000073E3C000-memory.dmp

Filesize
2.1MB

Download
memory/2960-2692-0x0000000073E40000-0x0000000073E62000-memory.dmp

Filesize
136KB

Download
memory/2960-2686-0x0000000000C00000-0x0000000000EFE000-memory.dmp

Filesize
3.0MB

Download
memory/3104-1456-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download