wannacry | cfb543bfeae430a44f248c20dab9d35699c1ae42b0e92dfbed201135c81d7af7

Analysis

max time kernel
899s
max time network
890s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06/02/2025, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

examplemod-1.0.0 (4).jar
Size

35KB
MD5

8d89a507cef0a399769597e3f82a521d
SHA1

da0a98e6d3aa7986ec587d9ed4bb5d035fe6323b
SHA256

cfb543bfeae430a44f248c20dab9d35699c1ae42b0e92dfbed201135c81d7af7
SHA512

621cbb422756a29bf915fb6ebd5a73a2981db6139592da12a8bb24b040f959e4a7f07169ad440f26b212ec08e32a96ae617380cebf9bdaba98e5650300dc7323
SSDEEP

768:IcN7vbGiWGw7Xp5x7urXxIdHdGgdIV8lA41R9rznfXk7n:RvIGw75DqbxcHAgdU822R9rznvE

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE220.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE227.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 64 IoCs

pid	Process
2500	taskdl.exe
1028	@[email protected]
3908	@[email protected]
3700	taskhsvc.exe
2768	taskdl.exe
1624	taskse.exe
1204	@[email protected]
4960	taskdl.exe
2404	taskse.exe
3968	@[email protected]
5464	taskdl.exe
2664	@[email protected]
5784	taskse.exe
5164	taskse.exe
3020	@[email protected]
2664	taskdl.exe
5444	taskse.exe
1440	@[email protected]
2076	taskdl.exe
5596	taskse.exe
3928	@[email protected]
2296	taskdl.exe
2800	taskse.exe
5900	@[email protected]
3692	taskdl.exe
5328	taskse.exe
3184	@[email protected]
5528	taskdl.exe
1340	taskse.exe
3064	@[email protected]
4968	taskdl.exe
2116	taskse.exe
1428	@[email protected]
5468	taskdl.exe
6140	taskse.exe
5760	@[email protected]
5168	taskdl.exe
2516	taskse.exe
2880	@[email protected]
2540	taskdl.exe
2044	taskse.exe
1832	@[email protected]
2416	taskdl.exe
5888	taskse.exe
5868	@[email protected]
5152	taskdl.exe
1476	taskse.exe
3856	@[email protected]
5004	taskdl.exe
2752	taskse.exe
3908	@[email protected]
2116	taskdl.exe
1428	taskse.exe
2812	@[email protected]
3092	taskdl.exe
2504	taskse.exe
3368	@[email protected]
1336	taskdl.exe
2268	taskse.exe
5640	@[email protected]
3284	taskdl.exe
5236	taskse.exe
4792	@[email protected]
4804	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4388	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fpoeqxjgeleu832 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
48	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\.WNCRY\ = "WNCRY_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WNCRY_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WNCRY_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WNCRY_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\䆟縀䆁	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WNCRY_auto_file\shell\edit\ = "@C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\oregres.dll,-1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WNCRY_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Winword.exe\" /n \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\.WNCRY	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\䆟縀䆁\ = "WNCRY_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WNCRY_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2884	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\jigsaw:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Lsd-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware-Samples-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
432	Winword.exe
432	Winword.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
3180	msedge.exe
3180	msedge.exe
2200	msedge.exe
2200	msedge.exe
3916	identity_helper.exe
3916	identity_helper.exe
3860	msedge.exe
3860	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
904	msedge.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
3700	taskhsvc.exe
5288	msedge.exe
5288	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4896	OpenWith.exe
5448	OpenWith.exe
2000	OpenWith.exe
3792	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4136	WMIC.exe
Token: SeSecurityPrivilege	4136	WMIC.exe
Token: SeTakeOwnershipPrivilege	4136	WMIC.exe
Token: SeLoadDriverPrivilege	4136	WMIC.exe
Token: SeSystemProfilePrivilege	4136	WMIC.exe
Token: SeSystemtimePrivilege	4136	WMIC.exe
Token: SeProfSingleProcessPrivilege	4136	WMIC.exe
Token: SeIncBasePriorityPrivilege	4136	WMIC.exe
Token: SeCreatePagefilePrivilege	4136	WMIC.exe
Token: SeBackupPrivilege	4136	WMIC.exe
Token: SeRestorePrivilege	4136	WMIC.exe
Token: SeShutdownPrivilege	4136	WMIC.exe
Token: SeDebugPrivilege	4136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4136	WMIC.exe
Token: SeRemoteShutdownPrivilege	4136	WMIC.exe
Token: SeUndockPrivilege	4136	WMIC.exe
Token: SeManageVolumePrivilege	4136	WMIC.exe
Token: 33	4136	WMIC.exe
Token: 34	4136	WMIC.exe
Token: 35	4136	WMIC.exe
Token: 36	4136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4136	WMIC.exe
Token: SeSecurityPrivilege	4136	WMIC.exe
Token: SeTakeOwnershipPrivilege	4136	WMIC.exe
Token: SeLoadDriverPrivilege	4136	WMIC.exe
Token: SeSystemProfilePrivilege	4136	WMIC.exe
Token: SeSystemtimePrivilege	4136	WMIC.exe
Token: SeProfSingleProcessPrivilege	4136	WMIC.exe
Token: SeIncBasePriorityPrivilege	4136	WMIC.exe
Token: SeCreatePagefilePrivilege	4136	WMIC.exe
Token: SeBackupPrivilege	4136	WMIC.exe
Token: SeRestorePrivilege	4136	WMIC.exe
Token: SeShutdownPrivilege	4136	WMIC.exe
Token: SeDebugPrivilege	4136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4136	WMIC.exe
Token: SeRemoteShutdownPrivilege	4136	WMIC.exe
Token: SeUndockPrivilege	4136	WMIC.exe
Token: SeManageVolumePrivilege	4136	WMIC.exe
Token: 33	4136	WMIC.exe
Token: 34	4136	WMIC.exe
Token: 35	4136	WMIC.exe
Token: 36	4136	WMIC.exe
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe
Token: SeTcbPrivilege	1624	taskse.exe
Token: SeTcbPrivilege	1624	taskse.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeTcbPrivilege	2404	taskse.exe
Token: SeTcbPrivilege	2404	taskse.exe
Token: SeTcbPrivilege	5784	taskse.exe
Token: SeTcbPrivilege	5784	taskse.exe
Token: SeTcbPrivilege	5164	taskse.exe
Token: SeTcbPrivilege	5164	taskse.exe
Token: SeTcbPrivilege	5444	taskse.exe
Token: SeTcbPrivilege	5444	taskse.exe
Token: SeTcbPrivilege	5596	taskse.exe
Token: SeTcbPrivilege	5596	taskse.exe
Token: SeTcbPrivilege	2800	taskse.exe
Token: SeTcbPrivilege	2800	taskse.exe
Token: SeTcbPrivilege	5328	taskse.exe
Token: SeTcbPrivilege	5328	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1028	@[email protected]
1028	@[email protected]
3908	@[email protected]
3908	@[email protected]
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
1204	@[email protected]
1204	@[email protected]
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4244	firefox.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
5448	OpenWith.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe
5632	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 5008	3180	msedge.exe	82
PID 3180 wrote to memory of 5008	3180	msedge.exe	82
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 1988	3180	msedge.exe	83
PID 3180 wrote to memory of 4716	3180	msedge.exe	84
PID 3180 wrote to memory of 4716	3180	msedge.exe	84
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85
PID 3180 wrote to memory of 2936	3180	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4796	attrib.exe
3132	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\examplemod-1.0.0 (4).jar"
1⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff05613cb8,0x7fff05613cc8,0x7fff05613cd8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1288 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1244 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1700 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1716,4894914432144968523,18392794252959758010,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7920 /prefetch:6
  2⤵
  PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3116
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4796
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4388
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 287061738812095.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4440
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:3132
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:200
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fpoeqxjgeleu832" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fpoeqxjgeleu832" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5464
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5784
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5164
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5444
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5900
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5528
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5468
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6140
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5760
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5168
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5888
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  PID:5868
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5152
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5640
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3284
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5236
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3876
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:5424
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4896
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw"
  2⤵
  PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccda0f20-4dba-49c0-acb5-3e1a447e6e54} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" gpu
      4⤵
      PID:3444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76298208-3d2e-42f7-afc9-ccf3b4a1998b} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" socket
      4⤵
      Checks processor information in registry
      PID:4916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2876 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84e3fe1e-8b93-44f2-9062-d7cefc69824e} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" tab
      4⤵
      PID:5088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -childID 2 -isForBrowser -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a74278c7-6d3d-43e3-adf1-63c02c74ffee} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" tab
      4⤵
      PID:1800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4084 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac5576b-233c-4808-9970-0bb8b2951af3} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" utility
      4⤵
      Checks processor information in registry
      PID:5540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 4968 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93cf4e51-0024-435f-a7c3-6db43af8cc71} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" tab
      4⤵
      PID:5764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5508 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c45fd8cf-7a2e-4411-9dcc-c1b283d7b21a} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" tab
      4⤵
      PID:5804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b0d18e6-a797-40ab-a6d7-42c016b1064e} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" tab
      4⤵
      PID:5872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5448
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw"
  2⤵
  PID:5340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\jigsaw
    3⤵
    - Checks processor information in registry
    PID:5312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5632
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\jigsaw"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  PID:5772
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5904
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B5BDC40E39C3F2F82088628CD041E4BC --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6116
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ECC840562DAD6696D4F26D2A1FEE4ED6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ECC840562DAD6696D4F26D2A1FEE4ED6 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:6140
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EC7D18ACDBE92A9833BFD63745E41C1 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5484
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE4B0973D445F583D6045C0C87AFB199 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4788
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FCCBEAE4114472C97F302790A82095E3 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5512

C:\Users\Admin\Downloads\Lsd-master\Lsd-master\LMM.exe
"C:\Users\Admin\Downloads\Lsd-master\Lsd-master\LMM.exe"
1⤵
PID:4744
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe cygwin1.dll
  2⤵
  PID:3388
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe cygintl-8.dll
  2⤵
  PID:3616
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe make.exe
  2⤵
  PID:2268
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe wgnuplot.exe
  2⤵
  PID:5744
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe g++
  2⤵
  PID:4692
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe libwinpthread-1.dll
  2⤵
  PID:888
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe libgcc_s_seh-1.dll
  2⤵
  PID:6124
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe libstdc++-6.dll
  2⤵
  PID:5648
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe tcl86.dll
  2⤵
  PID:4796
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe tk86.dll
  2⤵
  PID:3312
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe zlib1.dll
  2⤵
  PID:3772
- C:\Windows\SYSTEM32\where.exe
  C:\Windows\SYSTEM32\where.exe wgnuplot.exe
  2⤵
  PID:2232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3792
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Jigsaw\Ransomware.Jigsaw.zip.WNCRY"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E0
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
e580283a2015072bac6b880355fe117e

SHA1
0c0f3ca89e1a9da80cd5f536130ce5da3ad64bfe

SHA256
be8b1b612f207b673b1b031a7c67f8e2421d57a305bebf11d94f1c6e47d569ee

SHA512
65903ba8657d145cc3bbe37f5688b803ee03dd8ff8da23b587f64acaa793eaea52fcb6e8c0ec5032e0e3a2faacc917406ada179706182ce757d1c02979986dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
5KB

MD5
c3ab76c86a2a36f9825855e9e209f7b8

SHA1
4da67c11da8f78bee1fd6e2b373c1054b4260c21

SHA256
0c780a43f6fd9856887e67229e296c829fefbeeeb6b2d39fe0af33ef2b424926

SHA512
114a8f7e38097e8938a9dd9c6fe6e72a0515c8e88aba47f36eac2e02508e5c62c576bb9d23f5cb02ae6ab5e86ca63bb824dda852867c07f60ef16e13b179ee65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
ba56a9d8902273117a268c62a52d5f62

SHA1
d43ce04ef57603166326d2d115623c749d451007

SHA256
e14e2acdbc1d358115c817c50b183e0e19fda32cc1708894f92af906abdfcad2

SHA512
6d3a3720f895bac173651c002e2a0f305de76b6cc1ca4186ef78ecaa8ba275311e3ddfe19d0b847d40335975c3162f66213082cf55f114d68ae7b0031719a2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2692617678c042d9_0

Filesize
10KB

MD5
90c6784de85919f2401ca71d5509f9f3

SHA1
03416d7c2e41abed920b6d5fcc381d4a063eeb49

SHA256
dbd7df102972885e62d7e01aa8a0cd0fed3949991b2159963b9fe1e80e1e55b7

SHA512
ad7e82db5fb6529faf4c19db62c60a4eb32a3a6f2e0ed67848b4793187a72f5c6a2529ddb440e7c94bb1aca2fe1afec3765e7b57e9f374a31c08430e16a0e885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\27528d9073bf1d0c_0

Filesize
112KB

MD5
3c8292820bafb681e60ac4c37e072a95

SHA1
104cb62f159f59d1c0bd79a6e18bf5d22e342885

SHA256
f338ecc06c573fa5fb08fae151ab0801b0b6171d0766095711d9c001ee918294

SHA512
7b1ae348f7ade177e8c34364a2490889fe9bed051ae396619371a4baab371e975880690858ffe09e95396165c40e97956fa789bdd89b2fb66e95bd736084a287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
13KB

MD5
208c1325533dad70febefb020e99ef3d

SHA1
2f50fec6b001143326d54ffe4f96ee981702cfb1

SHA256
bc0b767978a03ad2a0ca6ea9ded226966695cf279191449aa0541a04dbc766ee

SHA512
af8f448b678ac4dec1b20b706cb2899aa1c3e791d79ce414844acd91c72ae4a0443ba45af7a37689895f4a9580b942fe1908160e88d07b28ba2a4b814b7fcdf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\37afe38eb817b647_0

Filesize
38KB

MD5
62e8038207303a060f2f486c0981a5a0

SHA1
158a38eeae628e4d5a4c09f947268fa87d09fd3e

SHA256
0ec1afac82263f9349a8227acd6d3e84c075be041f75c37e28e079a7c4ac2d23

SHA512
27e79471d988708f16135966495f3f0321b933819b05f0c176ba0ae8b17e1d82d68a5bee1a3da4849d04e6ba2b22acb408a24ec8fd8b2255ac853f4e5868f39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
23KB

MD5
e8b13430419fa790f3f3a847b7afef1f

SHA1
e80b84b3281e9c0bfe6c53329efe21ab782fdbf0

SHA256
e0e8e1d66cd0f84ce546ce659bb92b6acd3758c1187971a42c05813457b877f3

SHA512
08ae1fd1428e66e85f63335f835b7d2c049e86dd6134f0ebed5abfe06fce7ea4cfbfab30b525b3cb576e9d93e13c2ad52435ad5b672f5aa78fc1b33aad7870c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
614c6ae3273fe76c6e027960cfb5078b

SHA1
d6b22cf969dfe43423bfe727bd7f7486381ffa21

SHA256
d214529fcad03ba2f84cdefd57ca65f3aebd52670cd91e65a74a20eff6e6f3b3

SHA512
f7348351de3bdc33fbb2250d8788bba0f01150eff3254a35b04b1f2f9f3e120abe24ea0c799a7f052f4c4b98bea8d4008aefb4756679d6840900945e8c95131a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e9b18b0f66a7183_0

Filesize
1KB

MD5
dcae7fe1ecf412183a3e916dca8fdd0b

SHA1
d30531c4b238ac36ac896f2c5ffabbc605feed87

SHA256
fdbe3344ed066e3adc4ed89a8e0a89bbed20288048ac20e5a78203a53997b8dc

SHA512
31e5c4e1d7ee9fd2fedf2d65253ad8a02475b4f1f3edbf299f5a5336fb62a166c94dd054c2932e0b6a09d6c104ae424521b5c90c971997e4117c220be0027dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
3KB

MD5
a07018bae69e61c18c73f2eb8064d208

SHA1
1a496340d850ddbecb38b83903750d03b595bdf6

SHA256
060eaccc0207485e7b9d8d7b21e0e6f9dd993bbab03ee1857ca8d5ca226c9b6e

SHA512
9210d19ad83b05fc6c274da125a0a64541283fb108d2f6814a46ad3d7757589255ef5f78276469189038483171f45f166fa14df0eb8a1e56268e3ae862af074f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
f64ff7d0decd83e38631c238c1f6cb62

SHA1
d5da9fda0715137d90083a285f9ef9d4331f9789

SHA256
28f2615030166f821fba8907e51ff158d95ea99ed83103d291cbcab8ba595f97

SHA512
3c034feeedd357cfb57b546c6319a9d4a1014dc330693640d1d66e81643c863f0e45ceb18b8eaf827ef72bff2e9459b61d7b4395e39cdf32e2504b4d45539cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5f8147fe8fd40ee3_0

Filesize
63KB

MD5
b46f6d55761c55344362534f9ce09aa9

SHA1
ca518702b4e3cc1fdf4d0cfeb5a9cb0b3f65467b

SHA256
364315580453fc812a4d3633cd81161ff62b4b79c428ac5733140fe0928f78df

SHA512
eed50450fc6bf0132a6b7605b141a235fb731be3712256d725a611712d6e58d8047efd77c6e2234046fdfceaa37c744702d14d1430a8f9965eeb75d468c127a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61a0b4d20ae0e222_0

Filesize
14KB

MD5
51011e65ac98474bd33f0fa52f19a6f0

SHA1
05fe02f1b0254b45de96b6d6db97efe5536c4cdb

SHA256
357b3b7af9d552938427e2ef8809f7eed096d14c78a5b56e128b48cc1d45800d

SHA512
49fbb5986fb34f8362b58e9d443eb46426bc28e7102db31faf3d62f7d2d407f1f46b862d1294d6d822791ab9842d08ec609fa29213c9c4069c19fc7555e7fc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71d68e68ea4089fe_0

Filesize
6KB

MD5
4dc3a50a33b4df7e463db03378d2c939

SHA1
3d9b287963e418a22ea63bcbfe7fcf2cc5e744db

SHA256
fb8be1a6ccc698bde4d3ec1deaa66faac1ccffa608d3e60dc34883ffe90b392c

SHA512
638cad4dc9f11efd8bb1f3ef84b2eab5f5320be27e0d3862e35ae2a26034cb98c9ba3317708e46979f435bd05dddc6e91ebe6108f493601b076b0a62d319b190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
1KB

MD5
7dc03b6e051fab53e1771ff6f6a2d6c6

SHA1
e9fdeacb1d1e6015f4a0fd4625b5adbd3285b053

SHA256
5a5578e47a865f2cad3fc1cc7a6b16faa9a00710937350a751abd8b37c520672

SHA512
5987a8477d85d9204516cc4a00a7628e64d1430bb910c961ed2092a38d5369f4de319fb58cf98f06632eed226ddb8322eff1fc67d89a2e9dd15d92fe75ce0130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\760bfcd505af5f22_0

Filesize
4KB

MD5
81509c3967eeee09fbadc98e572a01b7

SHA1
1e589923887b83d354ddf398b2d985beb3f0b984

SHA256
6db03ead9cae0defc98df077fffb11eea2ca18ecd8095b0eb95f6caeb57bd207

SHA512
ffcf91d4bedabfc8d859990fa4b68ee06bed55c150df6151fb1f5c1920d42a73823633686b19492f24cea45924a3f035563321a62f135cbc5cae122cda3cbc94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\766094f4b47e839c_0

Filesize
11KB

MD5
20192a2724e44254bac03df711708169

SHA1
8f37f234e7f342f877edb27c19d150bb4a848d7e

SHA256
95124a3575581fc6093384e511afd7f2321b162e0aef9f01172f96c71bf2eeef

SHA512
72e4be7d9d66fd294c14c068cacd6e1aa4e4c24c65b0021135bde3815cf048a38a3f47c2536cdca522a8292e5e05e23a4188448306be197124342b5cc68a2d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\86b9cbd77d05d034_0

Filesize
9KB

MD5
ec31e607330463caa195c3f42adc0d13

SHA1
94dcfea26124cf1e1d2b67ee37f0b4032ed5b973

SHA256
3b8a8b4ac72cb8431032a3ea39e9c6f1ec6e55fea47b195bce9ce48307062c68

SHA512
ee4f444057f3e8dc9d06fd169b9c25ede6093884c4b99b0553eedf08b948b2797febe9c8bcbbad54db33608cc6192f3ff6e4e159094ed654a9ff5f9b5cc7b881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
69969f7671295e9e65e02e79e1ff5dce

SHA1
a1e5ea50c1a16fd341fc463bdf89f1c16b91cb33

SHA256
a9e36158221cafc020db1b734b1cf46b26c1fa9ce303ea53c9806146bc567950

SHA512
3268abfa6c4e7414519ec0938f44c6a87aa9f4dde6133f1085e0c233eb478d15fd2d5a1e581ef66f77dd228455d9e4f7165f1bc1ba613d199f821025a01b8de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\904659bc74961ad1_0

Filesize
209KB

MD5
b8d693a6335ca0200192b3bcb8348449

SHA1
84471f69023fa0c15c4362eb95ba8f259849d18e

SHA256
cffd42f374d6da625e5f61b09d20c5b16109a8982ac88822927b2a12c661538e

SHA512
02695080bbcc72b8c1d6cbaa371c4d7e6ff66f9f434c4646c9cda8e158716d1d53355a1a2377bad1be0162feef15a6ef0814e6fb9722aab47453c47befd499fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90d7d7591a1b39bb_0

Filesize
262B

MD5
718be3dddf697b6d28bb60edf388e44f

SHA1
ee527120f1422329bec7ff8843474dd8dcb836f3

SHA256
1cf2b4da311f2c6089127ba66dbf3e56a170b7a5c0ff84a84a2a291f7d6fa12d

SHA512
6bce575e4010020adfd4c21467a418b28322bdfa4d077be2e430efecd1df9e35c1b10ac147425dbde1b9568b5223cdf1cd4140fe4328ebb41ec3aa8a9bdf3574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
5f06eb9fba837a2cfbec56e907a34e65

SHA1
be70193e2d183dd542439c0496da224255ac12bd

SHA256
b2571ec3ddbb74b94ecc6a280531ffaa4897470615c4b4760d4883ca1d1f5f94

SHA512
d7d1ddfe1573487a3b0ac4287f7fd13234da4627d7691e88e550f9c3183499dd7f4dc15c125bb35605fface4181cfdae34fc811c9dd54e2606d7daa66ef72473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b282414830ce0fe4_0

Filesize
291KB

MD5
13e9c1f5d3683d54ef06cbd369a2c056

SHA1
0aca8324a24c5e3bac2519cfb3a3cd4b104de1df

SHA256
6a74df05de1dcf6bb2b516b7a2c8ea74d53c63af4a9ad0467d0947b67fed973b

SHA512
2e271718767ffaf8e2a6f99756cb002fdff1662e0f4759319441a7ab92027dfbdce580fdd590c9e2a600a1a06ac17ab764bc3fad2c60493aee7909ac714a9141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bd95349eb8d9fda7_0

Filesize
175KB

MD5
39a0620b84ce300cfb4fdae9fe8e92a0

SHA1
d239034363b88954a3bc5a2069d86102dd000c6b

SHA256
d317639f383fe94af3546c11310528d43174234ded6d8c4d32ef4cd91ede7692

SHA512
420b62f467690d7ea8837438798e6e80c17a217d79e98e26ff88579b64cc035f9758438509192a11dbc73b91514e2b6999f493f70b6ce8522e4406d7026c8dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be6d12311ce2b399_0

Filesize
2KB

MD5
5859cba87bfcbfd0d4bee117f3a78ba4

SHA1
8ee40027f38285fff6f2ac827818b9c327f15d6b

SHA256
74b27f3c4ae963dc0289c7ba65a379604380bdabfcbe347a5994400568f0b4a4

SHA512
9b4dec023d4c09f930c2ce65e2220901adeaaeb695ce0c419eaf65b4b0cbdeb196f325085c3ffe137a9d47378c48c1a7fce99fdcc7e803b66106e969e7e5e74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cba97d08787ac96d_0

Filesize
10KB

MD5
75f65c3f93a5bf2e4d4e033813af4858

SHA1
6866b90f4db2ca67f31bcace2e541602759f5709

SHA256
a7d6bbb101a1124de2930992d0e8c7c412dc45a23bb0a05c7df910206213dfbe

SHA512
47cdab941b7aa1aa997de2ef855cb803a8efbd0ca8d6c7e578514e61c2689e7b58532cd47f90fabc2911f987600e487ed9f6e78376615308b0e002c3a1c00888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ce003bafb7f85a78_0

Filesize
262B

MD5
632a9d1c6a5c58505d6c599b3868d15d

SHA1
f468cebf85a02fcf7f8e187e7a7f96a4701ad8cd

SHA256
a43879bb35556192c56c8a0dc4d0d01180bed56a218ab5ddc745ff074bb47ab6

SHA512
264481f7afe5166fd9d22b9108e402bfd23d4022f55bb1dccd01cdb26c99d8708136a54ac2f27aca1897b76d7715ba86a61da0ebf6b003d613e874c79e65583b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d14b77eb7bcbd2bd_0

Filesize
14KB

MD5
e74b7631daa533465605824429505bb3

SHA1
5116cf43fa0c7111b3401da2e1db0cda1c12f688

SHA256
c0db6276a14f795a1c931de2feec75f9ab32cf70464e473cbe6574a44bb0fb89

SHA512
4d30690de2208769968ac9adf2aa04f5b2874d8cd5777edff5ce494fb6f3c5434559a097ee1362f87afc2150716f725e8c7e402d17675c797512fa76b9672091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d79e0a2891fc014a_0

Filesize
262B

MD5
71eb821d2013e391d2fe390410de64df

SHA1
503f8e031cdffe325e9ad286da1168c7ae77a9f5

SHA256
709ac5db0d9dae0e89715f8beeac8038e70c5c22a776fa70bcfc50fbb6f1c139

SHA512
f05d2687faf82756cbe9943907899c9d371ffdd7cd185ec48f2a5a7ea6b7c9e5824ac98e7139941081cbc865dd8832a80131c42a9003dff95e700c709df24181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e146fd968644d345_0

Filesize
10KB

MD5
93a84100bdadf0e994e68475fd94916a

SHA1
5f27baf735cd29d2756eefde9f1b1df782615162

SHA256
a09c3780cb1f9dad5e56f582253247f366bd385faaf88f5ced6975f173e04151

SHA512
6d4562889f33240fe865f29a3816c04f49a0a3fda489c9af874c25a91813b8f0213e034650aa08231cd0edeecd234e9ba479d02006575c42f61ea4ca8c99e618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e72627a8f2c2ea9c_0

Filesize
294B

MD5
a9d58452ba567f262ba1c10c7316fff1

SHA1
afefaf9ae8c1626593fe76ca80a3bdc6d224166e

SHA256
91266a5743feca90cf61fbe978aa0a3b2d342f289b611f16a8c92e12b7e1fcb6

SHA512
1b10895ddf971261af8ccc7d9d626c60ce1bd987483b1809ecf9d92ac6f0c4f73619d958954845cb53688118c00ff6d610ddc0ef5b23ae83a164d07252ab5a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9c7e700cc3e33cf_0

Filesize
48KB

MD5
e60f196ae25d9120e63a4ed549b62341

SHA1
a41c99565c97f14aae00cf4e8f1f41e833161c45

SHA256
e7626b9803f66c18b3292a7361bc68b44c0e47e68796d62f7e49ae2a15e4a8b1

SHA512
30fcb3d471143e705ad29e00cd4199e9561ab20b64addbeb43523c9152d2718667d199ce15ff24769a0f6d12a4d48980538e59fa03b8297636894c6362a606c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2076e2a98754e97_0

Filesize
2KB

MD5
dec3f274c5dc5ffdbb99b778eaec6b47

SHA1
c4757240a63d5ae6b415380868a40480220d347c

SHA256
2a37d453c269fa93864f80e9dfe40e6bad8d2da8cfdbeb243fd0917463796e6e

SHA512
4479dcce09cf0acd2085dea77727fff9faac3e2ade213615f9d39ccc67e88e57d73af2621d165130922c08e62015e90a74dc04fceeb2442315248e63c5d11709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
2649f046125d07adb8f657dbf6891d41

SHA1
55a1d858132dd57572fa332c2d1217a8006a0899

SHA256
fb02ab6f40bb47c78d95e22a71008ad4ce0e246bda5ffd65b7f77a860323ddb4

SHA512
9bc01793f410f9d29ebcc33241f2616bdedae0da23f4f8b7c64ead6da9c435398a4e9c832e0e995db2578e88659c912358a262aeaef437eda579bbafcc746f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
48c536821c0d761a5748e1c8ed3e4673

SHA1
0f78eda5933a62656f6723eb0153de159ac1eb1b

SHA256
2cc986e30d9188c235d66eee7ad17690bcdbf2f2d0408fd11fbdc115d6c9bd0c

SHA512
a9fbadc4c0637c4e15d84c882a37d7b026651dfb1649f7829a06a894648e69c2c10e2250a5e6a3bf955be2030b6c97cd6a13fcfe77063e18666b0a58c81169d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a70d30280e77b00b8e50550e0e0d8b2f

SHA1
06a6d508e2afdf56ef060f9634c13d2c427c1b4f

SHA256
4cd604bbfd2cd16afdff58d417879116b79cd1a23d7bbeb6fe285b496ebbc181

SHA512
d6a2fd26a76e7a118cfd02c90f451af31f0c9ee4a706d76130aabcf1aa535a85f5be66d12da724089f76490b23dba78d0a6786ddff9ec10ae0ef66305e0c5b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
331d417572ed458afeba44bc57e6fa99

SHA1
8fb8937c9259491b051e99ac6fb7cf32a1c6f037

SHA256
55d285caacac137d25a871bdcf39fbc242b2a354d67e7c02b35a156777ba54b5

SHA512
8c3824cf6e8b69f8d3dca1c17988e33526450d110126b90057f96cd0d71fe77b5114976da1665c7dc407d7349a81ed6702c1607507f3184ecb8c2393db6f8792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
91152b68545a17c9cd512e3a8af0b5f0

SHA1
aae39680147d9fd37eede2ff869bbcde9b6aa37b

SHA256
4e7ac00eb151a988f5b79fe355d6b571c389a8be3b4c3da655b61312eef8b2e2

SHA512
44d3354af423a478601283b7a7c648969ef318834761e4da6c452777b7d959139eaaa8ea162d230fc5376e0afdf0c98232bab1472ef38f29d961554e3f35d653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
dd29fdff3bfcbb1431ca7f5a75e15553

SHA1
4f54a9cc286602c8bfff72f1271a79f879f1afd7

SHA256
cc0aedadcadd4bcf7f66702741bd2a68dc0f2f8a461366cb2415ec03014a27d9

SHA512
885fa1bf27f3e2ba82e1c4cb39d4e4fa589a0d5cab5587e94a9cd7feb88e44f97a6dd80142ecffee8e2fd74d763933a8c8cdb43cf5d9bc8f9afbbc7b0e1d421d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7a59a62d7872081f71fc110ffca96ea7

SHA1
c2d81cb668ea2befda7507a496fdb9734cee2308

SHA256
b7b0af3334fee7c11ae5aa21cf6031974f7351c0a4e11ec519dcba995cdf30cf

SHA512
668813922c5216cc851b41c7ad7bb134208e7e76f9f7ac9cd029e5b78a70d54cda3b3b531c97ed076c41980fff8bf37074672b7fcd3e9224311d38bcd3f27181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
948B

MD5
6652825e0cf1f8b808b9acdc676747c7

SHA1
2c27b98c8f78ebb1e228007ab390d8bd378344be

SHA256
ddf6a3cb119df73d4deafc63c6cdd857816bb97d0ac24d1f8238ce4691aeede5

SHA512
27ff4ac2e97fba1f543a8abe77d4881e71e4804836630f9b6c7a87d4f35901065e628f0cd6768f00a59c2abd8061efc24692de158e849c0543f8544415e7dba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e563c8c60f90db295c16b0cfb2792deb

SHA1
148cebcda30e2085329790c25351b9713a16e9a4

SHA256
8cd96da0faf1589a5e94ccb14ec6e662f4e3309d0473e8c2d5dc3238d17b77e3

SHA512
38fc7a56a69f31c161e38e266149a2e6eb685890d6bf5ec9bbc2b603a29626cced3add1e13db72bb55ace5343048010effb9c8283eac6b24afad5162732c86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6547906402d49ac166781b9bacc62fe0

SHA1
1f8a408a1bc0633a9514fb200bced854347bac12

SHA256
d9451ca29fac63c39eda5144a1a1b366d667b5582bd522abbccfd100e799be89

SHA512
7072de7005750abfaf3ab7f326e45d2c32ca7a444d36f5770f09a622c90d1d30617eb55b23763c470f9b09f2b241415095edd1fc2bbf0aaf9bab348cef195986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4bd9a3b2c42fd3b99670b7d1cab14948

SHA1
337a32b60baa6cec3c0ef1e2ef3a31c0dea7633a

SHA256
73e0b4dce08626646cfdf376fb784935f2c843e95e21782d5cd7aca2ad11f0d6

SHA512
ef106110bf814468b05b617be9b3f75750926a923e92086ecac200c02995683f8c8144768f4fa1cae6e4a918a843e772633bab17eb2e03aff3ae36b9b0bfebcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89312fabb18e9e206f51b2064a23bc3d

SHA1
2f2d9739b07b601c057db148f008175b127a0bbf

SHA256
d7624261b05c8287fac8f8e59ce43f2e6b40fc8f971cd4292f4720bc75aa2350

SHA512
95860fe6a031e6d9e3a2f13baf44e0eeb991060641028942d98d6d67b8ce949e5631e8aa5c2a4fecb8be6ad671ac447a58d1e17df91dba7cfd2d833576dd88fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bab5acd7dcf27a97a25abb0ad3e51b5c

SHA1
132dcfbbb25f3c6ae725c76ab79b76e30df99761

SHA256
938b925fc0a732e07975e48385dfb6a8d0707419732e3d81568004133c9ddaac

SHA512
2d4976f90bca5f897c8f4ba1d2b4f6602872b0adb43f166c9cfc2ac99d0b10616091870b57395d77ca22f28e6cdd9aa4f9206b572310ba3e5139740fb6b070bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14eb81b33555b2fb58c3597101e6f042

SHA1
12a66ea92ff6d5c697a6bcf734dce44ab6f0a76d

SHA256
29c0cf41b9773276834d0bb6746026e5037182476359217da93d171451f7cdb9

SHA512
739335dc67c97d3ebeb52fb572b5b0d00e9596d8925e420568255932dcbde2cb9c1f2fd9ce7c21f03353a8b08cbd73db2dfdf74f40de41958f04d24d814d7675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbfb1e949a50a065bb736efb6c07f799

SHA1
caa10e5cf1d8d858dbaf48b18d1b559918184730

SHA256
6b40cc363ed363aa6e59c112b48f429f7a4d23ed587ea594e9c867a0914f95a4

SHA512
5fb5761a1c008c189f7d3f35b3aa3a69b1fef794039631dce6ffa1b24a347f4127378714038f3acfd9aad22275865a77d0795d52d8581c26092b61e728f17d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
570650b0ee2b14e37c7bd5abe40239d4

SHA1
96ec98cb3e5c37d231fe79cdede5c0432556ef28

SHA256
e9497a0c264d773038d1b886c9443161017a0188a874f89c3c45e1e84886097d

SHA512
bab6db64dc0de3e9fcc24bf74db844596c24ffdbac3d8e860d1b95f1c581c27f493bb78db539904f02bab4d86a4fb647b3a1492938bb1413d2560da425784db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54ce8b4e60d029b14e6541a961ee0554

SHA1
b4490cef7eeb0356ccb08c20c651c51d120eca4d

SHA256
e268844d058a63e570c032c7b2f1f69940cc340f62d3f4e600e9bcb37f572b57

SHA512
08811b54cdd967993e14c08f4eee394310fb79ecc51750c3763a46e1f2dbd417aae960903de258fcfb4c09c949795ce8f01071c09654bb24701445707751b380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
837b943342ba920ff73cbcb11f34a054

SHA1
938399e948b9d443f095f152d37ef0271cdc2af7

SHA256
ac9283537805aea8d7d7939b4e5bf136ebc34b9396e271f644d926b7b0dfd58c

SHA512
6df8ede3edb20b0376e993930733fd929e9073fe9d2f7aabe0253cf4272ca0874cf8f6ee4c6c81473696d1ed4de9e588f4ee556c8903ac7e25dd2715f47d5f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
940d38b1a2817bdf017e072fdad60f01

SHA1
f59cf4ce555ab8c2860bba0208d5156989feed0b

SHA256
caaf28bbb283bdc2e13707df400649b30870cfe7bdb24655bc6685ad57368c67

SHA512
d2e5aa92e4bbafea36ab586e41996e293a71f3e301b1e4f8398647130011525cd825aa79b5a20f79fe69a6585316a9a2e92ea59e0a952afe03a11c49b5610cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
acd601ee01cd0d0ee8405dc4728119d3

SHA1
0c20d36a5cf4a49a396975886dd0a3e57e7b3bd9

SHA256
d6b7b82fb213a676fe361ff8ddcb2f03f5af5e206c0b2cebaa6d550b8efed618

SHA512
68d157485970b8ebdcd91222dac7e3244de1264fd2370155e9f7fb41173f1484806d96b5145f52ae1cf11600420c2458895a7a807278334c9f61e610ceab4a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8edfcb9aa4e3f1cc539e16d21fbb5fbd

SHA1
fac1b543492f92a7f497020536461fbf49b7f3c3

SHA256
76e7a37dc21222c31c4dc8e1aaa97cd8fa64bc3f64080f1509d386b6305eff0d

SHA512
9829a83b2fcc729627e5cac36a17dd1271b0dc29356bf4f65661fcde945f6776744f14b08e2eccf8eea6755236d3cbaa29a18ee3cead76f50560bf53fb2e1e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
efc5d453264a3fe8a156815b4ef99df1

SHA1
17efc33869246db153883ce0919be7512eb26120

SHA256
84754c6c9fdfec03958104adbf8aedeafb3ccbaaade44fc04e238afde3ab9ea8

SHA512
a35ed94a06675bd6604c35a4e7a04042d55fd01a34c94b21d3f2e9eed3472abf0048a86aed15728b602ad6069ce8a2939661e94c40c46cbe10945ba31c5c96be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b836972948b3ed9d161cd2f05808f886

SHA1
bf7f3de8e4ec948e107b4710e0924afb44eb01ce

SHA256
02d263810fa1052fa538cb30506c1144ea215859293529a5b322475c2cb64ce7

SHA512
427fbf159eac6a9759bc125290261a732d1d92686c5b9a9088e593f5e52bf01c057ec996629b8c77e5ff928272bbe537ac01db26f456bd6d7c61127f9c509045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
59cf4757beea52ce95d5b73ac982afc1

SHA1
6fcbb90149162b63361dbf1f6d880b9796f1cbc4

SHA256
67e4d3efcff819f53a25c61dc1878854b6e9377f1aac7a62b654e1e405147c0b

SHA512
0fc572f834cd57a2ab096334a56e9c6ce7beee1f70121e41a837518aee049d7942efa91b0acf2de50ea7c39c1986cff1d68134b8c33f44b2fa88ad7473a33091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
819a7e23cb54aca793c0fb6bc7d35073

SHA1
54d626040b9bf42e91435cc5f935d55ccc4f2353

SHA256
cb17ed61acb8cc655fa9771cbd151d31f58c60c4ed1a90c78dae608cd32c7089

SHA512
eb11355ddb10fdb6cbceda7fcd80a13ea3978a3e4071a5686539f00be34c88494ccab90a36ccfccf8d93fa08588dd86100ad335b59b4b76b77e0935f58768dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c04735d34c60b5773a3d076446fcc6e

SHA1
092357579fa866944d87cff5e8da005477eda897

SHA256
36b3ca8ef71a59f3824a11e47ae5ae497accf472f35475ce1dce4561db45504c

SHA512
18d6ee9af788b65ddbe49746935a8a2543bf94cbbf2fde9f50b8bfb78f7bcd2f7aed4bb4db5e85100721d187f099fe32f80bb2b10c4698a4cb9825d9724581f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\20bd7234-2f03-4f8d-8965-8c998816961a\index-dir\the-real-index

Filesize
72B

MD5
73be0d207c773f3c1ce805f49fb0509d

SHA1
80c7db569ea6dbb824c37e9763d2c18976325357

SHA256
4bff6c965d2f86d0ea6ce4c6800627ceb752edebbaef8c881548775b9fe4246f

SHA512
fe5910f97637af07531b3b4e2282e2c01f931bb59068ea5eff3e33f578c515a94b074a4f58382a28398369a866b0e189fed7a444b1834d55feddd091f28fa2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\20bd7234-2f03-4f8d-8965-8c998816961a\index-dir\the-real-index~RFe624773.TMP

Filesize
48B

MD5
cfd60d7cf86936a6c5d4de24004c51c5

SHA1
18b0311c37d2ba8b21a317c51329b0b7788b8ee5

SHA256
4b0bde9c40b8e4360870c4a4e3061f8b48a46ae987d58ff902f3dcdcceb56eb5

SHA512
e29f8a5eae0d94562c8a56141c70c6826b50403872625565ff6c772508376b107c6321cca176545da30fb53aec2b0bd2e71bf4553b17a3c78edff416b692d3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\ccd25e4a-3ee9-40d9-b363-b17aab4aabce\index-dir\the-real-index

Filesize
1KB

MD5
ba69ffff7028ba9406f6b32c97d8d418

SHA1
2d8a53ec3c565b1bfe9d072610dd7db170bf2f1d

SHA256
ca7e90b6bdddfeb82860db28eebbc2a84110b959d98162bb1d8c6cc222b71d93

SHA512
64f7b0da8dfdf7a59f7c9ae43468485d368e5dd880639202361a4c8802dafef90d861c8876c94158e79ed49bbbc421df2d2775b126a6934d62aa19ab24e1743f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\ccd25e4a-3ee9-40d9-b363-b17aab4aabce\index-dir\the-real-index~RFe625147.TMP

Filesize
48B

MD5
43ad4a1e8bb62b7b396883a1266838f2

SHA1
fcb40dca298b2595b11af75cdfecffd0dc03adf9

SHA256
12b9b30f3cc122f217647d5ff8673d394b568ae41412035aaef63f357c961232

SHA512
350a0c81358d16ee7120c6f585817d3387787d6df9eea44359cb656400a93c82e27f8097f38c78210445fd3c946c9e10330ee39f11a127fe9304ea0c1561bb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
e4f7048f2562852468532d8fc5c9d2c6

SHA1
b62ccdf22d4b35885d25ca709227b13f4b73e68f

SHA256
5f9910b0cd2b42ff2489b22f9ed74159f2e483cd599356694073ead407d4c6f1

SHA512
3b59fffdb1d492017bb8362c5fd254f97b679855aa7061bc012252ce2d8ae21e25420a31be4e069b949cea7e54b495a4ca516cf5d37ab9808e0eb734afce1745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
204B

MD5
c8bd48e31a4f73df412907570d5f37d1

SHA1
d93370f40a36b79cc3ecd930960dd0fbb067a2ab

SHA256
48a0a83fb93882f599990f9c99cd021f7ac18297494d41a06e12ab1e219e6841

SHA512
dc77dbf8ea1e6128229ecd27025ca5cf2c356817473c8aa43214dec5d7b8da9ca6c5e5048b6333816d039f2ee79f8110008ba7d88f938b5e0f8fce46609c9d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
faf7503e827540ad033a5ef2f8e6be96

SHA1
994a32864e23fc6dd2ecb0d723cf2f8da3870184

SHA256
95372d79463842de8fd0640a922d6d9243131ee6173b750edbc71e1f2bee7116

SHA512
0ce7d6ce64e610d40df8549bc126d8aef5659052b31454310ca83f75966df0d71ee237a9d2e96dc257dc1794a5e89a275a115f0eb72e6ac6fb7d8a32a64f6260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f82de1ffe461583443c6104a76ae3c41

SHA1
dea0682fe8285ee22069d2f5d516cb51f32fe229

SHA256
35b1612461e64136ebf196d09ad958dc29a3361616cf642d6195a4908e018da5

SHA512
86e099b0acec707dbd4610f8533c1e3c2ab95695104dd97cce849cb5ff187a8cc5801e145688c61d2374f0079b43c41b58ddc1496cf4611a2b0967563274bc00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe624735.TMP

Filesize
48B

MD5
974a9d3bc9ef337f9a798ae5c63d47eb

SHA1
503b95aad4a359466841f93491b04ba054163d46

SHA256
a0984c4c6102601ddd2bdabb39f4603700c1a960e216013c3f72d24afa660a85

SHA512
aeddad7601a77f406f47102a424e19e3999de3ac6fc4b3f9d4d5514f8b4d6570ab2208c5cfb3bd8ee9f9f529d5069e5d5e47ef41f0658bd0dde6416192122ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
72be509f5d05a2f5097e234202c71a2a

SHA1
162ff825b4b483dbd202e2bccb8d66bf000798de

SHA256
63ec569d5eb205f54caa83e252d71e91b9afe6e8ae596400272e5386a5fa0454

SHA512
024f243d8722fb1fcd773b56695e363dbca8e05c01db5a36fbc1051231ec54a030efd0bee4a07e76e0b32b8471a93deefb29adcc0676f98737a2c61af39a0b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
78097bc1845501c677f349da21a96bbe

SHA1
2fed039ed19162be091e8814e92f1dd9a39be0da

SHA256
803767cc41d6c532a82a0695f687bccfca05e68ea328053ce76348de167bde9d

SHA512
75f9547237409310203cae66ca6ecea6ce213b93d107229740d77fa76401af4cabce0376873c6146a17a17f5784df99ece05d57b97dec74728d1195a13b4d6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
402d4882268f30c9e1467def9550d597

SHA1
2523cf68f3c2fea41a51d8d4f743a84f09164e46

SHA256
c2c43f93b856ef94dc2a24f82966d84e7afeba10c485a64b517529fc152de0d1

SHA512
f2b447b4be773642fa300abaf65a92eb59bbb445cd33be6cd29d1da3e7d8e21636f744d94d66662d59a459f24f84d3fb4f53d9fb93943bf6b805ff70afdd22a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7b439ae01b57821e3af8260c14bbdcae

SHA1
25c5625a1dd0656caa8f7fff411d116abe8fd3f7

SHA256
38d179ff8f84fc1a61483970a679a747b014702e1346cb02c08b7153ee2893e6

SHA512
d0c2dcdb8a94f3054520905c2ed47c84bc8f442cdae5fe545274bafb0c3063b7d683b151788a7daaa96e8a9c0da88b048d7c9d398f37acd560ba52298d2fee64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fd8cbfa6bbbdd0b2f5cc83b29bb56521

SHA1
22c21555dd4f14abb8c79dfe32eb1edc595e0794

SHA256
bd5fbb205ef3c7e70f260d74702579105af4133892f358813ad09ac08b619da6

SHA512
4b7a7c7489e4f9250019a384d9578d0198d837cfb21917e0505a11bf81f5960306504af6886bc4b2000a7263f96ecbf87aa9ee9e6c3a42b798e405f9ca319796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a9070ec8fd4ad639ff6529479090298f

SHA1
8006a5281b77fc76fa2cced3d92a401180d578a4

SHA256
e5594c30bd1867dd11251310e6d34690d9745d29079dbb1bfcff4fecb6661c82

SHA512
8cb81e240c84a400fbff9824e864af54565efdd1b31b97d7c0a6a3a39e290de4dbafd15756df5869836912fc7929d010a7196fe80b706aeeaa35bed568543306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
700106cbd2a24d0fb668a256d52adbb0

SHA1
51edf4c65b15b473749ad9bdfbb7a0b144b18cbd

SHA256
4e69ba33163c5334c0dbd15b710245aafd463c3c652bd3ad84f80d2abf2184c5

SHA512
abfca727f3c536d7c53c75ec66ccd41733e70d6cc151eb1ad9d73ae4e1d6f510869fa33be335e73ab1616e4d1b7818e4551bcb242af491fff36f93825edc7c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b76ffb7a8c4600e235f00773f246a465

SHA1
a4b3b10e602cc7f8aecafd2e2c83d1ef4d7d1633

SHA256
1fb7320d0c0293b71f1cf832a0c2cd447d4b90dca1632606f007a1060597d6b6

SHA512
7bad7d4b063769ac3a657e6fa0052c1dcf6fda6b4ec0533efda771a23a37e430559ca4183ece1a9776cb9059821af53b41777f5e1493f135188037cc10dd74d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7cc4222c4ea63672609f3d7d321b5c95

SHA1
f202491ca921a05396270526c065b5144be12a60

SHA256
ce89519c7a5891ab9538daaf2e58a086cd2fd3da76424dcfffbfb709025c295c

SHA512
ce523655bbdc19d7dc9f7fa6073135810216271dbf3d0ba34da64acf8bbc162431e7d74841488cb7cc6655a26e6ef9149b6aa9c7654a090cfbdfbf3d8d6a8471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5e2d19a2c1ba650766f80532b938a22f

SHA1
b01bc5279941d0b1317bf885337363884828e720

SHA256
864f42f239a1733d09d60e698b327f746e89a938042af273ef113003326a2e97

SHA512
be9913e77bdb64fd00b27e51ac31f6ad288b72f7edf94d67cda5758141e19efb747455b8cba714c3053286b239ef72e7420d0b708d18b874a66693819710a544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
06dfbf85b4527d984ece2b3336e813e5

SHA1
1b7dbb7ca099cf0bf0b9fec41c61783447e98a91

SHA256
d9d54419dc1d1816903980eb7a54d3c4b038497fbe08f27b82aaa261776574bf

SHA512
a1861553ddbdc221fb2c53d1d3e4569f97eba0cd67746b3f2650a98b0874c46298d4a3015a06f97f89adc3b9cb2d8ed99b4bdc2d50545909868df3631577e1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3455255707d58727dcd08d5cb37fa6b

SHA1
973c8c2734cb3f23f53d76bbfec820e90ced9bd1

SHA256
56fb700a4a9702041138f383b9d60718b88e4022f8d483ad3a81b262637f3150

SHA512
938807347d7fb36f342947d9e5339b5180e9a984284d54245acb7448cf82bcb068a2b6013611383b03400cf16e698ac7c9f94da265a35892a3e78071adf72a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b040.TMP

Filesize
538B

MD5
b7c0b1acf45f531943f3a30a61fb9853

SHA1
b3a154b04c082c7dfd4ad1148c4481623ef96133

SHA256
0aa460926931e0716eb7321ac195639b5a79d69c57b427b57637e1eb08a161a2

SHA512
aa0f6fdb558f41ea3ded2d69ec27b0bfe065026e60c5a19fe3fb1b0e9dd90c6d4a10dd15490a49975509cfa0dcf166bfbd8a27de9812a91cc15f752ee67c1f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1837b50db2c9e9f28d1049994d97c5c3

SHA1
f050b65cc473ea5fe0686835971ca66ab68b3018

SHA256
faefc9123eac1102e473f7d081a286dc8d110bdda06753415c51ee1451c44475

SHA512
efb36b972918dcd6cd58cd4b40273cec585a4a13bbc0cae34451e0348a74f2401232fe082494043e40dafa722a11d44911fed1223a25287a86bbe5537c0e0443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87b58e125facbee92291c54b5fca226d

SHA1
bafe0d3b8adb33da25982e00fac70ac9ae5fad8b

SHA256
514cfc18907e2003e5947349112b901dda5e9134a05d5f2c2ec3b77862355bda

SHA512
e148ae7393cbc2e89665480127c8cf7bd1bdeb452a2345195e69beca3611bd247422c02f0b972285f0bd22a0c39ff58d121258b54e6745a2fc7b5c6eba6d5637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2862509ddd5e0ac03f1c84bfefc6dcb0

SHA1
3eeacf48f0a62063327cba695643ec2bff308663

SHA256
13038df19d9eb8f9438956319c7a07a2a6d345b56d75fcfc50f7e54f99cade53

SHA512
ce9d909d85295165936a8b7ce99a09cdce79e291c8e98bb03e39348c129589279a2902d9762899ca98b1f1caeddab6580419088fb818975111415e271d96216b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85c3dbe0efc465ab7c5d61098ed0a06b

SHA1
f82b4efa9122fa9724a413d8435a5ff0ba9987e5

SHA256
d1da670592a56e876d6babd5823cb1af1c921060f92219327bb71156395c2eb3

SHA512
e3b912e4674263c033234ef82c2d7690a47fc352cdb529d3a0bfff2544b3d62ba3754f9d3c91ae232ccf72f682353093ea24a61b75aac21ddc0538809af45045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4513ecd1b9f679d968c9b6e2f95316f2

SHA1
2a597ad572767a3d242228c4b31b2e1f224dcb06

SHA256
b62a3e21c1d19aaa16c718d8c851c8ff9bbe7a35a93d6da6d96cd63e6d45c174

SHA512
25803e0fef21f170edb5bbc69ec42cc2ef703c1ddaa25970e54a9eb4792810f9d1d831d684ef2a53be2915753703a47aed991cf994d70f69cde03444da9e6997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c470d88704637f44315d30eeda55cbb6

SHA1
d00aee4ca8027cb91ce6205f62fcf331ea1a9a77

SHA256
34c94d074eca1b1a047c421aa9de32ba5cbd6787a4c42e3c76d60ca07795776d

SHA512
bdfbe489eb5f577cc82bef5230ede90de9fcba8dc7dacc7e048cd8626eb7c2aa7623c536ba2813a057896657714ddefaee48d7627cc22300e08e2776f4f6cc70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88577d2f4808cb272fee737c1fb7c494

SHA1
374d56763c8ea92519c8cf42a91c1081331ce978

SHA256
15c5105a92512fb42440a790569c732bdf7fbf0b336ab279249254889c36f98e

SHA512
7929ced14314a8e1e0e10cc56e1c04f8ed0f3a3e10b2c54d18638ece9455212f4d8a55f97b20f0ce90919f6b034bef211e6600d9eb8a99b50474ae9a890f3ad1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
d894cb74c8df774551465d474165497d

SHA1
f1ea4fbc9484bed10cbd5aae2a51af6e1ba6d011

SHA256
0919983398ecb549bc87aabadf4f0db3aeff10b8b27804c31825c366090c623a

SHA512
7745b2c8f196686647687a77a73202b0f73bb4f4c4afd737dd515efcd5ec84e59e2dfaf4b37ab3022dd099faa9a4ced8edda5d97627e621a25a765cfa8d60b4d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\287061738812095.bat

Filesize
400B

MD5
ab68d3aceaca7f8bb94cdeabdcf54419

SHA1
5a2523f89e9e6dde58082d4f9cf3da4ccc4aae26

SHA256
3161fdccd23f68410f6d8b260d6c6b65e9dfb59ef44aef39ebb9d21e24f7c832

SHA512
a5de5e903e492a6c9bcf9fbc90b5f88a031a14fca8ee210d98507560290d399f138b521d96e411385279f47e8de6a959234a094e084c2e7e6c92c0ea57778f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
1KB

MD5
57206602a5d5528f57a61e6ea6df7bf7

SHA1
835fb0aa647a2913e89d10a519303c39ea024912

SHA256
6488c9af91419bfdc97b3bd5600007041db3460238d065e41769e3937c714980

SHA512
f169323e40eec74aaabdfac5fee0cdcb1b6e5841314fcfd9053df32829380282f44e31370a2ff2f982e78e6830f3bcb8f410f5f746d30dc1bb15f86fa539662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\m.vbs

Filesize
279B

MD5
e9c14ec69b88c31071e0d1f0ae3bf2ba

SHA1
b0eaefa9ca72652aa177c1efdf1d22777e37ea84

SHA256
99af07e8064d0a04d6b706c870f2a02c42f167ffe98fce549aabc450b305a1e6

SHA512
fdd336b2c3217829a2eeffa6e2b116391b961542c53eb995d09ad346950b8c87507ad9891decd48f8f9286d36b2971417a636b86631a579e6591c843193c1981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
f18d4b9e702734dfb0a415308eb2e3de

SHA1
3f62d7f7a8aa02bea57097f611879fe7b05a0aa7

SHA256
39afe5e2c97d961a57c853964c2bf32ab781467624414f5d25e4a699754cbdf5

SHA512
86544633137b16b3edb821fedadcff8fcd5204f6287a9fe2bfc5bb3b6fe76ecd840aebf03d4108c036c2170c6dd8387782c61ef72dac885956bab1644cf0490c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
d80514d30447a2b6f5c941492a69792d

SHA1
62b24a9850d61f90b2cf81aac4070854b1017b7b

SHA256
942336ae80eb564bbdf2a27965406b47570b6ea52ea0ac767a68b6a685c7d028

SHA512
4dd2effa797905b5e8ff9124998139b001b88214fec2e6d030b28f134ca31e6c0c31fd5d26b75f9ae55b89cbc2ce35d28ab101ebdfe9a38af67b4c3b445ab777

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
8KB

MD5
b8a3a50135aa6033a9b18fb3ad285a20

SHA1
1aee26a96ee94dca90eb67b9e31891eae66352ee

SHA256
d31a05ccbe56a145b113afc40ba7ce9b536f1097ccb4bd675574d7222c079d36

SHA512
613535a02c1e23e5b78e8f922f6b84d22f7fac14c3c497bf2afe2813452d789d52eaa086697c27dcf2eecc61f41dfadc6436170663a6f9ffd27563b81b50ca3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
0821fb94e2ff093c32f7175e835c3d5f

SHA1
aad88d40d64e09b7bb90c9e5a32c02934535f0f8

SHA256
1e185737da44199a05e38863873dcc80b2f3e2b6fc9cfa1cf089b862e68ba481

SHA512
a28ef5affec875738112483d7beae0a900340bf9e84de4927179383570abc8789fa8a49ea224ef286bae252ce6e952f5108ebe3401bdcf5041050dacf2c31ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
abadf5e118ed9f532b1caa4d70972c5b

SHA1
d963a233dd295bcc76c0ba821ae5fbb5f1c5a8e8

SHA256
c749ac3f63f4e7fb436c9aa22d725cd44fd58dc9e429c4a7bd84d476f8c15699

SHA512
a0d7af6020eef51e2319578a04fdb5cda27f1ccaac466bcc0015e9ad6fa56202959971fa3a55ae6e06b50d96c247283ef1e1772baa147ea50023c9753bfc28d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
8cf2c9dcddf3303792c650e0e29ae832

SHA1
8a19a6bd72510402ef34fa8c5e460d817f483656

SHA256
09501cd21604a2bd68e3cf04bfe4a0291a4cb4cde12dd78883492699f769b60b

SHA512
51307e129a9c942aa6d7b54fc77ceddb42c4e910a1fe085ae2bee289e65eaf922ca5c2d8d376ac1f0a7da50e0332ab9eff41ac12b6cfb01932ec59f250c44fc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\21a0fb75-96a6-43ae-8184-9c5f4ba2dc51

Filesize
659B

MD5
9c5e9f3e003fb65bbd20dc23a1a491c6

SHA1
3d0ccec10d5942de62a60cc1b8109f3c09c2528a

SHA256
ef4afa8b7f2fba6bd259234265a01f5aabb153a06274c8ffacdf38b7c977b198

SHA512
88561ec58044672a0df0af48e8e4ee82c1a0fb8ff8a8cf305b480a3e9398e74b32403a91ea5fe60fe8977b6b13e350da1cac78693c0a7e26f23ef38d2ad73384

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\f9a7f1bf-88fd-431e-9706-7a74191efb7b

Filesize
982B

MD5
14addb8dcdb1609b8ddaeb8569f4c725

SHA1
378951db2d9973bd634677d0a389ba79c45fb4a3

SHA256
d01f7b1ff688b3336e992c3fefe4a2fe36b9970ee0fbbc63f5fd5309adbaf6eb

SHA512
f8bed196a4f754e16ade1d0ce52069a17eece88da0ad5f9afb186813415c7e0d76bfde88d8e0e7ffb00b402ae6a5fcb8c0b32c5fae6e0aa55b0feaac5cf6419e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
10KB

MD5
8a491bb45928b11e98749040fa405dbe

SHA1
f565508d28e04d88712ceccab07e18cbbdcda249

SHA256
0a27cc8ba92c9b144bbc56c3db8eb199e47453fe59cfc75639705f84109f3c34

SHA512
da63a93f6ee6023f959791ebfdf442b24e812d1bd98a884eb14231c35792d70e9e21ef7fc5a87dbdf90b9762e8276bc71b25ad8bb5d8674515b8df978292bd88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
11KB

MD5
cf70b6c31539d94d1be7c7d2aecb665a

SHA1
6500ddea48fac527fa392dfe301e5a0a6d1aca0e

SHA256
2395b6ed22ec99c400fd70ef823247b2c3a894064510053c2fa20588c0992a21

SHA512
68031efeb5cb20b5580e4d6b3c97e6c4a3e4ea91df05381c1c99c36a3c63e2053c2ee6c20847bcdd687eb9e1738e19bafa98cf96eab17e979fd01b1b45ce88fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
9KB

MD5
a1c499685f6eed8b8ce763c1e39dff90

SHA1
5201b23a804e462aacbcc512da082d1a575f363c

SHA256
3c0bef77ff609ff8bf68088adb5bca6d5919e27500f4fc38d4340daf12dd9f85

SHA512
8d6f47f88ecc528636074db02e405d1baff8476014b2948846056139cc5a53b713108552a5a70472b4fb3df78cd0c355167c319e016a788feb67d830caaf831a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
10KB

MD5
d2a9023df3f346acd56f12284f25ffb8

SHA1
b6b5a0d51fe96e72f1f1c44c15ff1fef26f1013c

SHA256
973ecec0c633fc4a0c1610d77d4e5ea90e53d3b5b69ce47b03f8a63ee842cf93

SHA512
82d4f2c979d91f0ce8b1889ba95dfd84ba96e5155e44631ee9a51df9df73e38ee298decc6ebccc6c3281eb611ba3915df89e2518e9b67657bbefed15cd893bca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
640dab0bc368a446c20cfa4a9948a3f8

SHA1
f2528d7ac76e63a4a560e62f2308f56bbe090e1a

SHA256
331e0dd6f690c2bb1c6028205f09f006a4c8d3d432850ca58faf80530895a835

SHA512
e83984de21c8d04ba8d0d7b03478d6c4f5c0dd5fe4077b22a7562cf9f72d9ff3ce5c2e267463224372470db3cf6a0c9598ed1ad86b500fe43bb70be909a7b52a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.7MB

MD5
a324148bd9ff3651549ca0f3800b31fe

SHA1
bf8569758bed1a9d7047c498be666095eaa337c4

SHA256
b9ffbd160ca7693356882d0525a44d8da7456a89a8182befe564d3e0f87f1f69

SHA512
da1f819c50800980029e1310d6cf138c5e07af439fe1d5fc3c42bc619c41fa5f39316b0768d1a7471ae1b3c0397722b72303b4bba0b32b89c5744fede8460ef5

Download Submit
C:\Users\Admin\Downloads\Ransomware-Samples-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 352695.crdownload

Filesize
15.1MB

MD5
5a71fddd6b48215f4950ea80802e8ffe

SHA1
011df59169894512015bf302d338c506d1e6cd7f

SHA256
5fa4cbe0983a59dddd8a58c33a5cebcc0742c24f59c08f1cf78deebca0672697

SHA512
2cd0698ad20620cc8c2d94cb5eaf2ab2ae7ef599f426bf91cd1c2b3387dd2c9be362eff53ecc9cc969cba798405e618728966f7a903f42cbd0098f7b8327ee4b

Download Submit
C:\Users\Admin\Downloads\x60ZcCWZ.part

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
memory/3116-636-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3700-2392-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-1958-0x0000000073410000-0x0000000073492000-memory.dmp

Filesize
520KB

Download
memory/3700-1950-0x0000000073410000-0x0000000073492000-memory.dmp

Filesize
520KB

Download
memory/3700-1951-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3700-1954-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-1953-0x00000000732B0000-0x00000000732D2000-memory.dmp

Filesize
136KB

Download
memory/3700-1952-0x0000000073360000-0x00000000733E2000-memory.dmp

Filesize
520KB

Download
memory/3700-1963-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3700-1961-0x00000000732E0000-0x0000000073357000-memory.dmp

Filesize
476KB

Download
memory/3700-1960-0x0000000073360000-0x00000000733E2000-memory.dmp

Filesize
520KB

Download
memory/3700-1957-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-1962-0x00000000732B0000-0x00000000732D2000-memory.dmp

Filesize
136KB

Download
memory/3700-1959-0x00000000733F0000-0x000000007340C000-memory.dmp

Filesize
112KB

Download
memory/3700-2589-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-1967-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-2267-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-2273-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3700-2322-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-2328-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3700-2398-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3700-2517-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/3700-2525-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3700-2564-0x00000000009D0000-0x0000000000CCE000-memory.dmp

Filesize
3.0MB

Download
memory/4780-2-0x00000259657A0000-0x0000025965A10000-memory.dmp

Filesize
2.4MB

Download
memory/4780-12-0x00000259657A0000-0x0000025965A10000-memory.dmp

Filesize
2.4MB

Download
memory/4780-11-0x0000025964160000-0x0000025964161000-memory.dmp

Filesize
4KB

Download