wannacry | hxxp://wannacry[.]exe

Analysis

max time kernel
441s
max time network
439s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-01-2025 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wannacry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 5 IoCs

flow	pid	Process
74	2848	msedge.exe
74	2848	msedge.exe
74	2848	msedge.exe
74	2848	msedge.exe
74	2848	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC453.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC43C.tmp	WannaCry.EXE

Executes dropped EXE 25 IoCs

pid	Process
4316	taskdl.exe
4504	@[email protected]
4352	@[email protected]
224	taskhsvc.exe
4724	taskse.exe
3380	@[email protected]
4644	taskdl.exe
4944	taskse.exe
804	@[email protected]
3304	taskdl.exe
4092	taskse.exe
1184	@[email protected]
4056	taskdl.exe
220	taskse.exe
2480	@[email protected]
4712	taskdl.exe
3936	taskse.exe
2556	@[email protected]
4264	taskdl.exe
2560	@[email protected]
4736	taskse.exe
3816	taskdl.exe
4656	taskse.exe
1336	@[email protected]
4160	taskdl.exe

Loads dropped DLL 6 IoCs

pid	Process
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4564	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wymnmvjqxwm949 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
74	raw.githubusercontent.com
59	camo.githubusercontent.com
60	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 8 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4460	4724	WerFault.exe	144

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
764	taskkill.exe
5052	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1144	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 248444.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 987873.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2128	msedge.exe
2128	msedge.exe
2072	identity_helper.exe
2072	identity_helper.exe
2320	msedge.exe
2320	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
3180	msedge.exe
3180	msedge.exe
4392	msedge.exe
4392	msedge.exe
4840	msedge.exe
4840	msedge.exe
1628	msedge.exe
1628	msedge.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
224	taskhsvc.exe
4420	WMIC.exe
4420	WMIC.exe
4420	WMIC.exe
4420	WMIC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3240	DesktopBoom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: 33	4704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4704	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4420	WMIC.exe
Token: SeSecurityPrivilege	4420	WMIC.exe
Token: SeTakeOwnershipPrivilege	4420	WMIC.exe
Token: SeLoadDriverPrivilege	4420	WMIC.exe
Token: SeSystemProfilePrivilege	4420	WMIC.exe
Token: SeSystemtimePrivilege	4420	WMIC.exe
Token: SeProfSingleProcessPrivilege	4420	WMIC.exe
Token: SeIncBasePriorityPrivilege	4420	WMIC.exe
Token: SeCreatePagefilePrivilege	4420	WMIC.exe
Token: SeBackupPrivilege	4420	WMIC.exe
Token: SeRestorePrivilege	4420	WMIC.exe
Token: SeShutdownPrivilege	4420	WMIC.exe
Token: SeDebugPrivilege	4420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4420	WMIC.exe
Token: SeRemoteShutdownPrivilege	4420	WMIC.exe
Token: SeUndockPrivilege	4420	WMIC.exe
Token: SeManageVolumePrivilege	4420	WMIC.exe
Token: 33	4420	WMIC.exe
Token: 34	4420	WMIC.exe
Token: 35	4420	WMIC.exe
Token: 36	4420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4420	WMIC.exe
Token: SeSecurityPrivilege	4420	WMIC.exe
Token: SeTakeOwnershipPrivilege	4420	WMIC.exe
Token: SeLoadDriverPrivilege	4420	WMIC.exe
Token: SeSystemProfilePrivilege	4420	WMIC.exe
Token: SeSystemtimePrivilege	4420	WMIC.exe
Token: SeProfSingleProcessPrivilege	4420	WMIC.exe
Token: SeIncBasePriorityPrivilege	4420	WMIC.exe
Token: SeCreatePagefilePrivilege	4420	WMIC.exe
Token: SeBackupPrivilege	4420	WMIC.exe
Token: SeRestorePrivilege	4420	WMIC.exe
Token: SeShutdownPrivilege	4420	WMIC.exe
Token: SeDebugPrivilege	4420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4420	WMIC.exe
Token: SeRemoteShutdownPrivilege	4420	WMIC.exe
Token: SeUndockPrivilege	4420	WMIC.exe
Token: SeManageVolumePrivilege	4420	WMIC.exe
Token: 33	4420	WMIC.exe
Token: 34	4420	WMIC.exe
Token: 35	4420	WMIC.exe
Token: 36	4420	WMIC.exe
Token: SeBackupPrivilege	3568	vssvc.exe
Token: SeRestorePrivilege	3568	vssvc.exe
Token: SeAuditPrivilege	3568	vssvc.exe
Token: SeTcbPrivilege	4724	taskse.exe
Token: SeTcbPrivilege	4724	taskse.exe
Token: SeTcbPrivilege	4944	taskse.exe
Token: SeTcbPrivilege	4944	taskse.exe
Token: SeTcbPrivilege	4092	taskse.exe
Token: SeTcbPrivilege	4092	taskse.exe
Token: SeTcbPrivilege	220	taskse.exe
Token: SeTcbPrivilege	220	taskse.exe
Token: SeTcbPrivilege	3936	taskse.exe
Token: SeTcbPrivilege	3936	taskse.exe
Token: SeTcbPrivilege	4736	taskse.exe
Token: SeTcbPrivilege	4736	taskse.exe
Token: SeTcbPrivilege	4656	taskse.exe
Token: SeTcbPrivilege	4656	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4504	@[email protected]
4504	@[email protected]
4352	@[email protected]
4352	@[email protected]
3380	@[email protected]
3380	@[email protected]
804	@[email protected]
804	@[email protected]
1184	@[email protected]
1184	@[email protected]
2480	@[email protected]
2480	@[email protected]
2556	@[email protected]
2556	@[email protected]
2560	@[email protected]
2560	@[email protected]
1336	@[email protected]
1336	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2076	2128	msedge.exe	83
PID 2128 wrote to memory of 2076	2128	msedge.exe	83
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 3292	2128	msedge.exe	84
PID 2128 wrote to memory of 2848	2128	msedge.exe	85
PID 2128 wrote to memory of 2848	2128	msedge.exe	85
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86
PID 2128 wrote to memory of 4112	2128	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3424	attrib.exe
4356	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://wannacry.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffdb76446f8,0x7ffdb7644708,0x7ffdb7644718
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4132 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3216 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11321207287765873065,1844328686443613256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:4784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Users\Admin\Desktop\DesktopBoom.exe
"C:\Users\Admin\Desktop\DesktopBoom.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3240

C:\Users\Admin\Desktop\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1196
  2⤵
  - Program crash
  PID:4460

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3340
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3424
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 53871738245399.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:480
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4356
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4504
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3464
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4140
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wymnmvjqxwm949" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:948
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wymnmvjqxwm949" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1144
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:804
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3304
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1184
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4056
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4712
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2556
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4264
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3816
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1336
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4160

C:\Users\Admin\Desktop\rickroll.exe
"C:\Users\Admin\Desktop\rickroll.exe"
1⤵
PID:2456

C:\Users\Admin\Desktop\Trololo.exe
"C:\Users\Admin\Desktop\Trololo.exe"
1⤵
PID:1644
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill.exe /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill.exe /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4724 -ip 4724
1⤵
PID:3100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x324
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5cdbc327-669d-4e9b-82e2-f4fb33657553.tmp

Filesize
11KB

MD5
28d653cea7351984d7f3680591c47c86

SHA1
e1085d7d1f12c57e79f5d61fa00503974a3a3da4

SHA256
b2befa38a2d3544a2c5c3930e1c97f74e17f6b0a8a6618e69244701e3784e538

SHA512
36a9f1f1d293ab516bdf96855e2f4d7059ccaba92d75820c97a9d961e6427bcf51c7b794cc69a0a25a251885e6bd7938744806f042d1f7c190e2643a735249a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e97a507db8325bbdef7b1fcadf06f86

SHA1
7782c07045983db5ad0e43939b0c47b5f8e68736

SHA256
6f1f11f1f73b9c7c2e6866ea6759c409515884f382e22135c9ffde466accacb1

SHA512
47f8687649252eaa47447c56d53377577cfaad1d1a329f26d90d4b6a2f60110e022f262e98f77c409990909ed442e95a3a144971bda607fbbf8c5c52ca9f3f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\75de0c29-040b-4a66-ba04-dfbda3e14ac5.tmp

Filesize
1KB

MD5
9bac89f366b4960bb17e47076d7697f1

SHA1
086908b54f2cc7063d009dd764920e1b669b0b55

SHA256
25cd7de4c95d7b19d07c93bdbdaed5dc3d115322e0061f43f4b7234a967d0333

SHA512
3e79ef5fb88694a1c4f386286c9d091e62a44abd3fdd82004c273416e775f6c310bd21aaf7c746e116046a1951e09f3f2a07608fcf5170bc48f5624cd87981ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
20KB

MD5
4fa02ac6347763639aeb01d8adf287b2

SHA1
8cbf6b37f0cd329ba5b4f4f59437c55dd3057b37

SHA256
ec23a39504c8b289a6401723dd1a5153e9072e5f5beca20f88fac54ed3a477d9

SHA512
371e4b42152c578090254323dd4846df1ab38ac6bcff8ed6b67143dbfa5111c72e64366ac24b6ac04f3c405ce22e5f50f2a04e1805cce8b22ee8b95139a53afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1b5d49a5d3c3a5cbd7eccad5564f3cab

SHA1
b07a001e95c14e3a615c14b8fe62f3bcfe0d293d

SHA256
4b434c1b6f13d6d88897e903ccc08f95c2668062bd9a4e265a1e82b997e55af4

SHA512
9973ed3717a1285666de0816739b711eb867dc83905cd30aa617873b1f3b5cc58f1c993cdbcf704b2351589a031af24027f733cb4b1941a1d599d762d4620247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b9f890dde09fe5aa604ca81cd56a8345

SHA1
6528b14ba040e12791f6e37bcb5bdcfa35d40f3f

SHA256
6b94a2ec6b9af2d60725ac0c3a41b3848136ac48d69aedb53f6c8cd5c320f2af

SHA512
ca66a04c37e440bfb3a4b4e59571b64d171c2a01d009b1ff37af5aac98e361167eebde8b7bdf1b2eb4b5ab159abc62418f669666898d6dfe8517d5a6581d6b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7ad63a87103f8137bd662a0c3956be76

SHA1
aba2d3241679679e743ae4755351ac7c9017749e

SHA256
eccb16b1dba74630bb1df5bcbc805033bfbb602b8fd8caadd34283545a8eee83

SHA512
6aeba96f6c967bf54a97e63a3c71a15122cd279eaa1dfac10eac8615ebd105701e56a5159a64a31b12f8cbb03a298639129dba016226863f08337855540396db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1024B

MD5
a69eceb5a409f73bcbcff282b43cf06f

SHA1
6f8d847b38f8b24e0e88200f710eb5842db3e931

SHA256
3f01b7357f03f6ff573977d468dd5641043f3d650af1bd41459d065a45027d2f

SHA512
185231dc00ba055d61aee47deed6a0d936bc4ebfe31b72ca6fa16cc92a2314c317f0e53ad91577e9eec84d3f0bd1204c550c34c0d52f8246ce8685f3d3edffba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b9a4de4bf1e79969ed90d01031b766c9

SHA1
60e9f3a2a7a5f4b4ef999d645f1b195ba0cefa43

SHA256
f1f0d9b8ca19deeab33d42cfb1594608bb4a4c8cfdd20d62419947bf2bfd1f26

SHA512
82e0607ae2a2f345f607a1204523b0fc2f19247d9758c572b91a025b6d441a231b669a91a4b58fdb0abe4e33cd2140f8fbe68cda10042e6c4e4c4ca98b503014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b60e2e9b0798c67fb8f79e4924859a82

SHA1
c703ba8d11eab30423c5eb6c1d4870512fc3b035

SHA256
20b22d4fd4c28f8e9d11af61a3d14c8c4d196b690ada7efa9ad499b032f8df18

SHA512
85519a405781394cacab7df777274e216ef95f041a49f0dd8f404b108c5b803bda079bf5a3d50c002dee46518f35b781e961e0cb25a045eab162bba83ff561b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
05b8ccc9dce688689afa84d0ccc0db1e

SHA1
d7488df4dd8c42df85351d06fec8f43bd0177952

SHA256
64b70cb08380b49115afaacf5e35bb4ca04319dd73d027f4b1e86cacb20afb64

SHA512
2c82be1d3e475e87b62f2407ff782bc35ac0bbf686914ecf606f2519d5d88f91555c7f4f820eddcc5b4cc7d7f82139228c49005cc4bab040cdaf2173b2bb223c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db30a7b78b9b057ff7ff29db66ddf7cf

SHA1
85927a74fa1006c22a5a88fc6a64802fbee98365

SHA256
d9052dd88ba6b579a4a35316de53191756c3f89c23ceaf27f634fc882bcbdbe6

SHA512
ffbf1c3b2a9c8020027e04365c7ee022bf18416eb89e91c1b9f7cde6877209be1799a6140ef00fcb3b8f8844fa5d9f75fbd7d28798fd1dfe3f1f06ed741f18df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdc1bb5afaf1f6eda439e22e477b8db3

SHA1
0d9571864589a394bfe87b168738aad0305a42e3

SHA256
fc9a7f77b34275f828bb42edc176275738f3ef6220cd0e79f3852e0e1d3619a5

SHA512
a8cb55d75b3e9bcebc5e968261506a39ed0bcf3d4dfff1436d22b68624a3b5d6260ea4dd2a82d8e497b86970d0e297ce8d8fca5f8856ccdb6eee23af1339b757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0dbb832a94b87b45a6d2d94c09c24e8b

SHA1
f801b65b120cb25e7fd4a515222f90654ac6c4b9

SHA256
ef8dbfad32be2718a79655e573af6811de454b93512753ae4179609f9c4f3737

SHA512
900b2edf67b412c42a0ca4911da3d29b3cfe84149a63957d5126327397b06599dcd50e930b8d49aa1def04d312423bdecd1d2dd81cbce1ecb0460cf3f84bd458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4aedeffb8a1c3c8184025b91ba9771bc

SHA1
aa0e0e323a68f4d3fa4b2dd6d2e6481afef8a5c0

SHA256
309c45272d5a6ac32be0c7190a4f60a4986f70ee19a3a059c95b91f976ba7926

SHA512
34785298e036d86e5db1b3dd9b59f524083cc86f4d5e9719f71b948fe65d3170fff00e543d07fecbdb59f8af08100d346f796e3ba9a4be672de4d4d06f11038e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7903adb758e4baa11444f0e5b5be2cd5

SHA1
aaf3bb54aa9ba184cda5d87f7dbae3e32d5384e4

SHA256
537bfbe1854d2e1fa517c002477f9d24da51f6a3464bde1e247588c322510cc1

SHA512
c25c0b594918542507961359c33ff2b83086a6d0eee9c0486bb7b6a970b16f7fac6a5072483a3c1a268eb03cc55c27b4053014d5ddc744221065c2c13bde0b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9e29fe128271ee3681fdc78da5aeaf8f

SHA1
e7b2ded168556f3ca63437714e3a83f13d9a751f

SHA256
013304908a3091be1cb63bbe5421cf3e0838dd82fcb5748065781c970aa21225

SHA512
85c26c1e6133bd3cf9a9978a93464254d306543689cfe4bf5eeb056084c1e62b5399b5a512d43157dfead89a92bbec30384f2c913f7faff8797f062c2d364728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4a0fc8caa9a76fc360fbf222900a4659

SHA1
400a601093ef25c54e1142a05c2849643719ae88

SHA256
5134b1529108bb6abcb42ff95afc27cc4cd0932164c85e0a4427a928a34e91ac

SHA512
53bf552e7e5b98cfe9b14b67245271cd0847a57268d11b542326c7cb77e6b80c93fd96e49a814207e979f8c819cae01eee574b594c8b073445ffee0524a4bca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
580f41a17061a1d849f7e9d60ff18aa6

SHA1
762fd39e2b9eb3e21d51f4ebd7c55e0557420800

SHA256
83637c94ec37e78e34bf1cda227eed230a7424e39f0dec45bc07cf3f4f22d139

SHA512
3ea6bae95cdf95e30429bd39dc5c8d0cd18337d63916972d21d0b86ae21b472fa1da6ff0f57f03268b447b47efd17b6ebd435df3737a3da562772b5f69038802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
852e60ddf38b60d35fab8538765c9dca

SHA1
ebf9078a63d586c0a561038f80dd0db7d12d67da

SHA256
094ef7fadc88c465d15bd0862349092546f8c214ff57f930fcc505ffc85f1c79

SHA512
3cd1550fe5c995f2690d4bb17580a00fe11304fc9158249d919b2ef66541add0b5e40d371ac5e9934d7c8f1c8b5d015b821dee9dd58a9bedf8e61f46ce7bf45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a3efa156f1582927e2a304881a0254e

SHA1
7c67055ca8c5dd9035cd8e59c1fceccc4686024b

SHA256
564fa14049abb1bdbeec8e8200467a07cb003287053054b069c05b663810fdc7

SHA512
0b5be7e2dad9f8d370f69ed06985bcdc3ba1967533b0f8853fa6b5906849deb292ea5e83b733fb67c6e0e91ba6075d9b2aa51fcff12ec6ccb301e55c0e2a238a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
baa1eec9fecb361e25d4dd3d8b3552d4

SHA1
00c45fbecb9f2e69bab6d6265b6b0014d2fc3960

SHA256
37dc3fbd44bccd7a5b58f97f80722cdf00f45156fe1ee9c13f5aae27e1fc57fe

SHA512
810ac24e03fe77259a28834867da161816ef569ee5c70b27454fa7157cddfef86ed51566129765c1404c958ae674f0317b2606772967fd85dbf7586ecc258b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1524de28fc3baa82c4feb8a5aa4cb16e

SHA1
008beea2148f078b68990273edf1d81a5990a0c8

SHA256
c8b53ac369f1e1dcabc29dadd61e012cfd5fee8c6dd4cb324b19db39bfe65271

SHA512
4be1330ee9fb7560362ae08b092630b01fbb7510b93d1a09665c8fac156942903cca0630c42ecea39f0e0d773a3ba213c7a3c94d73c89c8833f217cc9bb4c886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4fc2fb0ef265c2fd420ff20c08ce04b

SHA1
775648af4dd5ff45a1faddc55892b9903cab0425

SHA256
52566ecdf22f66ec95ce6f48eb455438286a3f73ce2a3fd2dc02f128a8278c62

SHA512
d5ae48b9aa9ff1b63f4da30748328ab063c58d5ff7a16a24043a395d9456c2c54aa88e324476558c41bc4d87ea083519f8df04ce49079867b40d7e89abd7b9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cf66fee47c13ac4d88d0ca13ec1f14ec

SHA1
283158853d68b40cea95502018465313025c9e3b

SHA256
52840ebd05f2884bc184aab11487ea738502885c519d9308d68de70e16763f2c

SHA512
8113bcead2b7fcb63c16283055e29f71dc29ac11a3ab7f72c4886b3b405eff2d43e2a8697eee836b652c9c116c15b895466c70f4451f6aa73afcd2dfe8400f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5257654d54a8984fbc76c79eed61bf06

SHA1
71fe84c447589a66323c031dfdd16cf0ec8cd374

SHA256
901353592f1153971b4770aaab2be592b9f9b6a3ab915b2019fbd77a63544619

SHA512
bfd1e3207e8a6fcf6ce97ce3e3f2f72181b0ded0961efbf27db1de6dc65636cc120337f77cf35d7d17c8b0087b589611ee2cd30ad6330cf546344bc9b920ecf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e8870f7e6dfb5fa5ad98c95f8983f95

SHA1
f6b7546d351112d2186e20b7b842c9bc5d1f32fe

SHA256
6492670eedb017804a1652847024e0107751a8e1cfd1b38a18a31ea3c231a6b9

SHA512
ead58d133e3693d88fbc03a055b0473f6454e974004b81ea01e199b8b167433ba6f98d3b6120d84fe0049532c86010afd6092be8fcae203a1e41b7f85d4a2883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9d722eed0231fd4f365811a9af6933f7

SHA1
e4d5fbc49961593a426a11965187c50d2fcc3c60

SHA256
ca92247c8a4c083fa2af0b02066252b2f0558828fa2435185b00623f3af81f77

SHA512
f1d0f5b09710dfa34e6aba58fbbb8c365baffa3c2b2094337fbf798022ec68cc412d974ef0039499f88d53cefe38c748bbdc56ccd1b05f1fa709273eea9effb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eb2b.TMP

Filesize
1KB

MD5
dfa91e80c779eadb466b589eed5263aa

SHA1
f3ec785634587f976debc9d5a41f080d5cdb971c

SHA256
1d79290bea2fad3158de241f49c9b115f874b40900e4943d6f2290a068ef1f25

SHA512
0474ac0ffba2b028ce9751a9ebe4c47d6b8718dfdbe67d20c13f2c851dae9d0792c0108c15529e21f7c00d36b5898a1b38c13bddab8ace20f8ed28e39c243c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6c3b537aa1e77dff14fae6306fe52eda

SHA1
35303172ec0b006e680f9aea9a9445017bb5ff48

SHA256
bfd62f3a040e6488650aef087488ea182ae447989c85af5d0e97ec98e8da17aa

SHA512
12dc27a07ed52ad7c5b0b297e413a918af6fb38bcfb6743e35134613a634e9ab6baf817239f04bd5051fb55e688e023bb0b923b9bc32f44b0b0192558eb8da50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c966bd4423fdbd3bde9eca1c66557ae1

SHA1
ec712ae029e80cd149689f862e99afd6b47f0927

SHA256
dabf94c3f6c55a9bd407cc6ccc624380a96e1ff4b5e8604f4233688e3fe1b5f7

SHA512
4577eb9ff6a84b4c4ff2b3f0a19756b659036c4d5d83038e2dab21c76cf453a6ed4336345424e82a5cc7b8747dd16b25d90d72ba03c7345a5ce378cbb774c0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
099708a33401163f9f76c6464091e29a

SHA1
9834e40f7f254d34dd8e1ddb7efaf45aa5228317

SHA256
a6363827e8fb947dea3ade1b8d9f0983ba89485d23775723fab3ed371e6ab335

SHA512
c89f9abb7c21778181d26d1b7af176b4436c30c51153135ce8afc32b52c3abd58169678cc519a9caef1b79635d29ac0c3a6ddf9ecce1ba5128bb830390406ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01cc7fa7e4416453b4821b1a3cfdefa8

SHA1
6b42a81cb96f47c2159d80f6e5d83722bad8d719

SHA256
d72c4ffeedc1ecb3c59202c4873747745e3a51ab799d562ae8c7cbedad045549

SHA512
d3d2335c0a66948c8ab92b407d4f91a309ca480ac24134d77667429af65a77528bcc16ba0747e1a5c61bea23f538c6fbfb076a145d2eb29cc7404e2eae5ae437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f0fce28cf8aae9f1a99a01e5aaffe77b

SHA1
e0bc8322dcef640890e7ed59a31d37865afd0c52

SHA256
8e34322243c8ee69e384a59a2c6c496f4fa318df4e308b56205ca7e9c1f7787c

SHA512
f98dd45cb0b88a4ec0e2873ab8cbdf4ea7512c8cace740b187c3c97406e19fb11cb1b879de33995f5cb200b898bed5b8ae86f1900341318aa64daddca363bddd

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
17.0MB

MD5
21b9bd174e101981e7ae8389db137310

SHA1
46702a3042a6da370712a32d380d96dc2887ea4b

SHA256
bf3f8e182fd0acfe2ed0800e1d5fcf86d5c68b3f0a47ab767d235849d4f9c438

SHA512
615a8e8cd5bab613bf8593f490f2c31be3ae2677e6b528aa4c365c23f458f0c319593c89c03721f56f90262601caebc4ae98dfc5ff777b029116833a4547b0ba

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 248444.crdownload

Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 293601.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 498911.crdownload

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 528309.crdownload

Filesize
1.1MB

MD5
f0a661d33aac3a3ce0c38c89bec52f89

SHA1
709d6465793675208f22f779f9e070ed31d81e61

SHA256
c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

SHA512
57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 987873.crdownload

Filesize
129KB

MD5
0ec108e32c12ca7648254cf9718ad8d5

SHA1
78e07f54eeb6af5191c744ebb8da83dad895eca1

SHA256
48b08ea78124ca010784d9f0faae751fc4a0c72c0e7149ded81fc03819f5d723

SHA512
1129e685f5dd0cb2fa22ef4fe5da3f1e2632e890333ce17d3d06d04a4097b4d9f4ca7d242611ffc9e26079900945cf04ab6565a1c322e88e161f1929d18a2072

Download Submit
memory/224-2459-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2460-0x00000000749D0000-0x0000000074A52000-memory.dmp

Filesize
520KB

Download
memory/224-2463-0x0000000074710000-0x000000007492C000-memory.dmp

Filesize
2.1MB

Download
memory/224-2542-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2483-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2534-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2505-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2493-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2461-0x00000000749B0000-0x00000000749CC000-memory.dmp

Filesize
112KB

Download
memory/224-2553-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2509-0x0000000074710000-0x000000007492C000-memory.dmp

Filesize
2.1MB

Download
memory/224-2462-0x0000000074930000-0x00000000749A7000-memory.dmp

Filesize
476KB

Download
memory/224-2448-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

Filesize
3.0MB

Download
memory/224-2447-0x0000000074650000-0x0000000074672000-memory.dmp

Filesize
136KB

Download
memory/224-2446-0x0000000074680000-0x0000000074702000-memory.dmp

Filesize
520KB

Download
memory/224-2445-0x0000000074710000-0x000000007492C000-memory.dmp

Filesize
2.1MB

Download
memory/224-2444-0x00000000749D0000-0x0000000074A52000-memory.dmp

Filesize
520KB

Download
memory/224-2465-0x0000000074650000-0x0000000074672000-memory.dmp

Filesize
136KB

Download
memory/224-2464-0x0000000074680000-0x0000000074702000-memory.dmp

Filesize
520KB

Download
memory/1644-1291-0x000000001BDE0000-0x000000001BE86000-memory.dmp

Filesize
664KB

Download
memory/1644-1293-0x000000001C3A0000-0x000000001C86E000-memory.dmp

Filesize
4.8MB

Download
memory/1644-1295-0x000000001C9D0000-0x000000001CA6C000-memory.dmp

Filesize
624KB

Download
memory/1644-1296-0x000000001BEC0000-0x000000001BEC8000-memory.dmp

Filesize
32KB

Download
memory/1644-1297-0x000000001CB30000-0x000000001CB7C000-memory.dmp

Filesize
304KB

Download
memory/2456-2428-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3340-1284-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4724-1289-0x0000000000660000-0x00000000006D2000-memory.dmp

Filesize
456KB

Download
memory/4724-1314-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/4724-1315-0x0000000005140000-0x0000000005196000-memory.dmp

Filesize
344KB

Download
memory/4724-1294-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/4724-1292-0x00000000055B0000-0x0000000005B56000-memory.dmp

Filesize
5.6MB

Download
memory/4724-1290-0x0000000004F60000-0x0000000004FFC000-memory.dmp

Filesize
624KB

Download