wannacry | hxxps://pixeldrain[.]com/u/TcV2BREC

Analysis

max time kernel
440s
max time network
442s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2025, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/TcV2BREC

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8ED5.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8EDC.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 16 IoCs

pid	Process
2716	taskdl.exe
4976	@[email protected]
5292	@[email protected]
5644	taskhsvc.exe
6028	taskdl.exe
6048	taskse.exe
6056	@[email protected]
5528	taskdl.exe
2428	taskse.exe
5724	@[email protected]
1084	taskse.exe
6044	@[email protected]
2928	taskdl.exe
2008	taskse.exe
5144	@[email protected]
5388	taskdl.exe

Loads dropped DLL 9 IoCs

pid	Process
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1292	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxllxbggsomj059 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
248	raw.githubusercontent.com
250	raw.githubusercontent.com
157	camo.githubusercontent.com
160	camo.githubusercontent.com
163	raw.githubusercontent.com
164	raw.githubusercontent.com
217	raw.githubusercontent.com
218	raw.githubusercontent.com
219	raw.githubusercontent.com
158	camo.githubusercontent.com
216	raw.githubusercontent.com
249	raw.githubusercontent.com
251	raw.githubusercontent.com
159	camo.githubusercontent.com
161	camo.githubusercontent.com
162	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\wallet-webui-101.079f5d74a18127cd9d6a.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\buynow_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification-shared\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\cs\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1012398925\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\th\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-tokenized-card\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Wallet-Checkout\load-ec-i18n.bundle.js	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_948391672\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-hub\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification-shared\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_583683149\edge_checkout_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_583683149\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-hub\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Wallet-BuyNow\wallet-buynow.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1012398925\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification-shared\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_948391672\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\load-hub-i18n.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_948391672\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_948391672\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-hub\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_583683149\shopping_fre.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\webui-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\wallet\wallet-pre-stable.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Wallet-Checkout\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\wallet-webui-560.da6c8914bf5007e1044c.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1066399770\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\bnpl\bnpl.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-mobile-hub\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-ec\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Mini-Wallet\mini-wallet.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Notification\notification.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-hub\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-notification\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\wallet\README.md	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-hub\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-shared-components\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Tokenized-Card\tokenized-card.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\wallet-webui-925.baa79171a74ad52b0a67.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-mobile-hub\ar\strings.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
916	5292	WerFault.exe	164
6000	5292	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874253012867865"	msedge.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\.cs\ = "cs_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\so螟িਮ踀\ = "cs_auto_file"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2873637269-1458872900-2373203793-1000\{96BCCE05-7034-46AB-B0E4-3FDCE72E3ED9}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\so螟িਮ踀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\cs_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\螜়३谀痄\ = "cs_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\cs_auto_file\shell\Read\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\螜়३谀痄	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\cs_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\cs_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\.cs	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
200	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4652	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe
5644	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3108	OpenWith.exe
6056	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4572	WMIC.exe
Token: SeSecurityPrivilege	4572	WMIC.exe
Token: SeTakeOwnershipPrivilege	4572	WMIC.exe
Token: SeLoadDriverPrivilege	4572	WMIC.exe
Token: SeSystemProfilePrivilege	4572	WMIC.exe
Token: SeSystemtimePrivilege	4572	WMIC.exe
Token: SeProfSingleProcessPrivilege	4572	WMIC.exe
Token: SeIncBasePriorityPrivilege	4572	WMIC.exe
Token: SeCreatePagefilePrivilege	4572	WMIC.exe
Token: SeBackupPrivilege	4572	WMIC.exe
Token: SeRestorePrivilege	4572	WMIC.exe
Token: SeShutdownPrivilege	4572	WMIC.exe
Token: SeDebugPrivilege	4572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4572	WMIC.exe
Token: SeRemoteShutdownPrivilege	4572	WMIC.exe
Token: SeUndockPrivilege	4572	WMIC.exe
Token: SeManageVolumePrivilege	4572	WMIC.exe
Token: 33	4572	WMIC.exe
Token: 34	4572	WMIC.exe
Token: 35	4572	WMIC.exe
Token: 36	4572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4572	WMIC.exe
Token: SeSecurityPrivilege	4572	WMIC.exe
Token: SeTakeOwnershipPrivilege	4572	WMIC.exe
Token: SeLoadDriverPrivilege	4572	WMIC.exe
Token: SeSystemProfilePrivilege	4572	WMIC.exe
Token: SeSystemtimePrivilege	4572	WMIC.exe
Token: SeProfSingleProcessPrivilege	4572	WMIC.exe
Token: SeIncBasePriorityPrivilege	4572	WMIC.exe
Token: SeCreatePagefilePrivilege	4572	WMIC.exe
Token: SeBackupPrivilege	4572	WMIC.exe
Token: SeRestorePrivilege	4572	WMIC.exe
Token: SeShutdownPrivilege	4572	WMIC.exe
Token: SeDebugPrivilege	4572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4572	WMIC.exe
Token: SeRemoteShutdownPrivilege	4572	WMIC.exe
Token: SeUndockPrivilege	4572	WMIC.exe
Token: SeManageVolumePrivilege	4572	WMIC.exe
Token: 33	4572	WMIC.exe
Token: 34	4572	WMIC.exe
Token: 35	4572	WMIC.exe
Token: 36	4572	WMIC.exe
Token: SeBackupPrivilege	3284	vssvc.exe
Token: SeRestorePrivilege	3284	vssvc.exe
Token: SeAuditPrivilege	3284	vssvc.exe
Token: SeTcbPrivilege	6048	taskse.exe
Token: SeTcbPrivilege	6048	taskse.exe
Token: SeTcbPrivilege	2428	taskse.exe
Token: SeTcbPrivilege	2428	taskse.exe
Token: SeTcbPrivilege	1084	taskse.exe
Token: SeTcbPrivilege	1084	taskse.exe
Token: SeTcbPrivilege	2008	taskse.exe
Token: SeTcbPrivilege	2008	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
2940	AcroRd32.exe
5716	AcroRd32.exe
5716	AcroRd32.exe
5716	AcroRd32.exe
5716	AcroRd32.exe
4976	@[email protected]
4976	@[email protected]
5292	@[email protected]
5292	@[email protected]
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
4652	EXCEL.EXE
6056	@[email protected]
6056	@[email protected]
5724	@[email protected]
6044	@[email protected]
5144	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1704	1592	msedge.exe	78
PID 1592 wrote to memory of 1704	1592	msedge.exe	78
PID 1592 wrote to memory of 5320	1592	msedge.exe	79
PID 1592 wrote to memory of 5320	1592	msedge.exe	79
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 776	1592	msedge.exe	80
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81
PID 1592 wrote to memory of 2700	1592	msedge.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1856	attrib.exe
748	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/TcV2BREC
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2ac,0x7ffd82ddf208,0x7ffd82ddf214,0x7ffd82ddf220
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1720,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:11
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2196,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2580,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=2720 /prefetch:13
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3420,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3432,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4712,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:14
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4828,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:14
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4736,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:14
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:14
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:14
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5436,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:14
  2⤵
  PID:5364
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1144
    3⤵
    PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5420,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6348,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:14
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6360,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:14
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:14
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6812,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:14
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6476,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6232,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=4784,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7052,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7040,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6628,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6656,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:14
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6772,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6544 /prefetch:14
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6412,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:14
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=5928,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6280,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7484 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7200,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7176,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:14
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5700,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:14
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=7364,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6244,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7268,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:14
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5228,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:14
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:14
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7472,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:14
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=4488,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7348,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:14
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5196,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:14
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=7100,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7232 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7964,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7888 /prefetch:14
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6760,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=7812 /prefetch:14
  2⤵
  - NTFS ADS
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5216,i,3235301659745420392,15277920970122895254,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:14
  2⤵
  PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4956

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3108
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Jigsaw.zip\Program.cs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D1435249EE0817EB05DFB0610453A48 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6112
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AD912AB62552B43D8FC28CE1E8077CC4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AD912AB62552B43D8FC28CE1E8077CC4 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=74829C7FDA41934A16819C1406C0A3AF --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5644
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8EDA7A61C7EF9D3A9DED960F1BF780A8 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4248

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Program.cs"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5716
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4416
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=531D1BC16AA9676B034301B42C9EDC51 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=531D1BC16AA9676B034301B42C9EDC51 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0B85A40BF003F47894A34137228B834D --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\LockUninstall.xht
1⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3524
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:748
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 234911742952003.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5396
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5328
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 412
      4⤵
      Program crash
      PID:916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 412
      4⤵
      Program crash
      PID:6000
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6048
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "sxllxbggsomj059" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "sxllxbggsomj059" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:200
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5528
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5724
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6044
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5144
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5292 -ip 5292
1⤵
PID:5584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5292 -ip 5292
1⤵
PID:1244

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ConnectBackup.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
4b295c15f5f5f418e712f5ebbce82f6f

SHA1
b58ce58eec921943144f7277a7bb57e17c4242cd

SHA256
e98c2a080fcafa0f5a85d853fb4d4c3e076d633536bc4479cf298f732d6f92aa

SHA512
1ae97a3eaf1b15fc7c04baaab841e84975e9b8a7381f5eb3fa42c43316d1db34879cefec15e19d6e67ecb888508879c51840b88f572aac81d51c0337b7b79548

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Filesize
128KB

MD5
bab2889342d175e72b90cfcde8ec0933

SHA1
a8af1e219299a7f782b2f60918138ffdfeb350a5

SHA256
90460910c639a385d3fe1f2b5861e332635aa0849b89cc85b85ac3c6cc6e5bef

SHA512
37509fcb1160d298f8aaaf382a321e63454c4a337db0bcc57da4bd176311f1d62d783670fee37459798a948b136da9ec8b087a1c28a298204b37e7cd7e33a291

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
161KB

MD5
4045c6b73eb64cb981dacb76fda0714c

SHA1
5b53bceb9d5f4b54833e5bda3d89789579b5d187

SHA256
0143fafd297d7a4ad1374ea2fe898dbdeae99579791c7d99fd0a2c95ff9fb033

SHA512
22728427071b576d523e2c185d24b3966caa4d752c98833ba804f9eb834a1e9bab5655750d8dad8ab505d4f667921aba942f7ad6efeaf0a2bebfd03417f442ae

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
4fc8792479f74adc02bd91fe5cec6a4b

SHA1
a7d823853c80cb9580454184f32ea44dfccd241d

SHA256
a04170fd3d18de18b7662d5be38add968fb118501057d296390100152757af2d

SHA512
f25787785b307fb7cccc3f954e0ddb4012d38a99efd2c441ec5226035861696f464a0fa628ef56953e54d72e659c6b18ec2fe8d35ee480d727b87cb97904cd3c

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Filesize
29KB

MD5
d4814494b96f0d1b34445df2ce793863

SHA1
2384f957176cc1d3bf2a2a930125c739f00937b4

SHA256
7026a6f5e2ed9f1cf64b8b96ffc4767d5d938d22deb92331e3c0efa53fb88217

SHA512
496ce1c3a857c92f2d93c07291af18c2711bca9e7265b9e781f50afc8cb71955248a021898bded857fea86133a358304c472f7e841462a77c3e97fc50e1c5d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8272581d8cb38484cc8cb6afbdd0d37e

SHA1
2baa96a0439003aabaad1ce5619ea0a581cf261a

SHA256
025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297

SHA512
60574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
03fbc669c8df7b2de8354f6fd2cec607

SHA1
57c05668c2aa8b649aa007a4d02c15998cf14146

SHA256
173b6d91ac9c9fbede3ca45a30457ff3a1e0a28894bfda0fd8ccc3b7e48582c1

SHA512
f79520f06e78d3802ce358ca47364a13f60507c55dfff0d204b5d3c9678c3e6ead0c753ae54dc133bf5a590399f3c646223e12152032abffccbff6bc2fe2e9d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
352B

MD5
ac0ce344e69f01133c2b4aaec9b4cb13

SHA1
d476f145cf11516ce522d3cb8d956ade61595a74

SHA256
c87593369c0911a2ce979ca1546db21db33ae26e7d8078a4ea6a1bb7e26c6062

SHA512
c30de6556e26d9a3bf9090579748ef88c7e0631a4dd56a1cae5659f3e7b64b72a9a2ccef786548b5820f8ab116a2d874dcb6a76820f3ff0b5ccbefb0a5d77f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

Filesize
268B

MD5
ae52241cbffb1512930b58c8f22337a1

SHA1
6d563b44bfc56bcd0cde64a36c255f68743f67ba

SHA256
a71ba1d58219c864cca7fe8763a5ea3fbdadaa4696aae3510da0b62c7b1182bc

SHA512
3155628adde16553809f89865c52fbad832f9eb05db45fa134b6e6d8fda44d4be3ee67fdd1ad7491a670e0ecdaa5023f9ffd9177904df7673be8283c0aa4f955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000d1

Filesize
45KB

MD5
7bf87143a96bc688026d7be1e2fdcd86

SHA1
f31fa030e4c409874bb5a3f3265f07265a913b39

SHA256
0d5f08eb7f9c86c47ba5b04e21039cf8a1f82d5ed92075498cbbdde849df6f2a

SHA512
7b497cddd2d2e97301549b24babf278a2f472631e4a46366cd0967e88561f6d476da54248182702aedd24af514de8726db219c2cef74a2f847a360a0acb492bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6d715218b44257eb226a10a4acb11450

SHA1
785f56c520c68a10e6b61a36a1a4a40c3cb4714b

SHA256
1b16fcdac7a41c40497644ff01305e406f0752e968768046e9eaec02c724120d

SHA512
a65f7e9bf8d064aa251a32816d75b7b2293797f96a3132e18ee0feab4811721e80cb994e9128c7757a3bee2edeeba425f3cc41d33f73029a06f5c638214da9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
4f561059187665460fb7ca8235459629

SHA1
5dacc0fb50f272e27455e656fc5fc72266179fec

SHA256
3d212f8c1fc84426b298df15cbebd14e940332ef55b01d133ea72dafd0296081

SHA512
b50a5fb1738bd9dbb7f8a66d9f889ce70a73cd36a4726b2f0b663f79fd0a9b960c12fdbf1a78772926e9f9fba840524a313658e9e217685ef7ac4857eaa49586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
90e41cbde6e845c7c1bc1f45f51eaafb

SHA1
76dfcf7531086350429edd60c4c3549f9e47114b

SHA256
db744a8c61e7dbefb99cb7715e737853f59d5977fa6db89a206b346c8727ce46

SHA512
85e321f801d17e45d02246ad846b20a244aa49c22419bbd2d5d452a6b73229a844e5e2e7fb025a94c2f457e347f2cda36f300b2a606a9fbe379fb1786bbf319b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
a331d1609bc079ad52e49c917b5eed57

SHA1
ff8fc63de6b3232ea6510ccfda084120b5119ac2

SHA256
acca392660707f352e9ed39de663a4255867908fc51cbec2b0c7b13521754d91

SHA512
f0d4e562bcbcd6f70ccc51d1877ac1e82b1bf679d327b9ac002d2a28619e056a548ad416d1c376da8954efd4bc050ff5848abc663afb74ccb36835290fe28edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5824aa.TMP

Filesize
3KB

MD5
0f93cffafa8c77996c1025a9d8c5485f

SHA1
3bdd316a7c69d5d03849ff6a5b5f1030e0adbf39

SHA256
545323955bf924c090bccc777201e5fdd744518208daa0c92e325e7e1c803b39

SHA512
612a086b58c2af0c9d748a39b4e33e496b78868851c80a916c40e770995dc9774b9bb7756b0ae3c3a6e5b0736266485bb2ed2dd938b2e8b67f6145f95c111d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b1914c60ed87bd2b929dfb314eb408cd

SHA1
4ef8eda5e203cd2a321f92dbd8ebe2db14b4ff53

SHA256
2e59b5574226f2b428dd9e679db5fcc13720ebf76cbc697dc0d297cfd14f3df9

SHA512
f446b8041f7b574b5d2b2aae88ae2cdaa42916c56d09b3fbf72b0c5781f1bf650f0924356d26169d01b7cd4ce10bf128a982c200a4271f7bfba25c8b3fcce14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ab03b8c48347910500794513e960cd7a

SHA1
bdb7b51661ea2cf220fd21f9f63b4de930ccbf13

SHA256
9a86295549b0b58636fdcecd53be34d5911d20bfb12c296aeddc49f840b9df57

SHA512
7775d9b3bf14874aac524ab9d3811d9b157688a593c954119679bb819508002c195dff328740cdd204b8687f7622ae820807eeeee8e011a4dcd0c971793bbd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
58aaa4ed1a2f3c7e12c8af51c6faa2ed

SHA1
2132db4c2962bfe97ccef5fbe547d438d25291c9

SHA256
d9de5329d1dcbcb8e216bf6b6c7c2d652991b4b3c87247818a9630e206ae7c0d

SHA512
2f59c57bee2b5a862adecbc8b82010ed91a4c6a83ab7c6cada1b66c334d84fadea33b6cf6895fcaac017096aca637f140f7c1d5626ecc21fd323f4e4cb7eb5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
9dd3c030756be12e20456d0f24e80ce0

SHA1
083c6d3be334e2a7bcccea2a0e772dacfb605753

SHA256
8ee9d8debc73e89b84ce7c4fe323961821d1b9ea821d09b96d92f8ac04234137

SHA512
7ba2e3ff2411dd3d1dac1889e70e623f5f101392e700802b830aa89280d34a62db83450c660eb114108d81f7e90012572fdd3ca1bcefb0f32595e7348c25bc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
578eefda5d0f8bc8e68f10110aa3ae1d

SHA1
627a18e1782c3501591021db1226b8bed5b9f746

SHA256
538ba3a55e731c51c6a26c4ab0b5ba99c70a0d02db65f69f20696cfd9c5df1e6

SHA512
0e8175103266271941407a1ea30d236db045d766c531b32ca7d2be7e8e359c653c2063bb88f6cfa786415f7999f6cfc8c2099ca2532c61999c58f4bb7b7bbf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
943d67d86eee044f4d8dc0d683f00ef9

SHA1
a3d09abb70b99435973c898b9570a5462ef1e6fe

SHA256
6f21b9d81ce9a4e773b3f9fa5b4a1740a99f9611cc08024f6ba451f0f45558c9

SHA512
ad1bfdf48f5c2d29296a74e8cae17e3c1998cfaa770ce8ccc893938be7f9695ec9d495cfb42b00bfe98234817f80142b6e074c43dce0628ad3b80657f61fcf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
a82f16c7a32ad2596e9feb2abe56d80a

SHA1
b3a5e818776f12db67c9955f019e783799fa46bc

SHA256
52373422e389edce5c528de4dd2e5175f617b5055427165d435d55f3c41e6abf

SHA512
cac68ec0d875ea70b191f1a5712f34cfb141863cf45c83c45824b5e66160abc69a1b2bc13d58f9639de955d35c7825d964ba3166eb71d8f2fb8ab0cb12a64acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a91683a8ab3b6fddcf0689f37dc8bded

SHA1
b1101d4a038f2d1abc11a24ef433e95b380bbb6c

SHA256
e6395bb469b12f47aeb4e0d2adb45537dda61e638ef70f515bfaaebbdb954712

SHA512
5a66bf25191413f28afe21b7c1cc17f8278d2a8c1029c2664b2780bfbbc2eba181b69b62a407407efc979884e386c782f2662ebba3069ccc9155139fa7337719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
e3cc6fcd356b3ab16ac5e3c982c83106

SHA1
45caa813fb173ed50b5b42b26eda9474177cac57

SHA256
4ff760d01617e91a2eb0c7aa5af59e7bbf7a835c9712dd00813560601ce6e39b

SHA512
6a7b47def9e0576ba51b1c6ccafb4837f4ac857f846293fcc457d8fc8bdf1333419dd31d194d6838c238e69ccaf69f2c87fc7f010c24534a9f0418f2e80758a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
aeac3a7c9c19b24ac802fc6f926ec4f2

SHA1
2b345e9dc221994be8cf2b00c2cf872f684d18f1

SHA256
cea2e6f777441e92489e6525ebd625688db3231c243703decd43a216ff963d97

SHA512
c3f5b44a93e2eadd0ec4aed40a03f7d02a283f27bd634917af0ce9837e09f3d1df7bfa6fd4312069012eaefab82899797da3295906d4e2bdc60f94880cadd7c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\17224f1a-db97-45a1-ab22-90201088e1f2\index-dir\the-real-index

Filesize
72B

MD5
5c1dc3982e1b36d8962de8f4017a1b34

SHA1
71826d59083e22329186fba7790949cde341d4b5

SHA256
6529135972d80f7fb40175eec4b6cd6b03ca7d73dc57e24de6249cd3ddfc606e

SHA512
c2392c880afbb269b97a7ac716d67e46641ef7e544c2cce65c232eb4050fe600ecfb4849fcf352146a2bb3f00a4e05d547af45c60e54e1af28bd86cc37c897ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\17224f1a-db97-45a1-ab22-90201088e1f2\index-dir\the-real-index

Filesize
72B

MD5
58a7ceb683113ba8110075464dac6a83

SHA1
f836d74deea7716c0a41990a8ca48cd2b5f6314e

SHA256
5fe5653385b3610327e2116d4336d3a0632aee9000d7c820cc493cee601ddf3d

SHA512
b85d578007f19b269a829206107d0f995f20828a7022839b9a80a15e0fd38ab81df1512d57805ab5c9afc9d124eb9a172bac87be0ece1f3446bc0584e31a194e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index

Filesize
2KB

MD5
0c55deaec601ac9104c55b963d29ac0d

SHA1
13e39c89679ea89b1fc0f139fb9825c02ec66acc

SHA256
3e10a5f232ded50851246c9cc1925a177a4dd61b71681ffde666730707ed7606

SHA512
62e10beb465f066d9361f8d2f82733d3d7042addfa83726d818d31ea642f2eefe8b43fce18ab27cbcd8f1b66d6ac144b75acc84d87adaede9ac76019c9505e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index

Filesize
1KB

MD5
ae0912a38a53fa5a329000ea07a5333a

SHA1
c58aedcbff089c178dd0ec4346069a04ed125cf5

SHA256
bf2dd8940559f1f62b97a581dcc51843e44787a4a3471d510d419e1dd33a9eb6

SHA512
e46518bb622b17f99312aa64d50c8d9088b42f17802f1f39b3e157a71a73bcc827146fd0c9fe6c4205353af4192cb77f7d3dd8c339bc75854ff28124c843e646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index~RFe5837a5.TMP

Filesize
1KB

MD5
6f9cabb8135461cc209abe35b2635457

SHA1
3194d90f1fd472472e97cf2711965bb3bca3b438

SHA256
06d552ccc1884158fd37d3f53f0730789889f86eafacbd8310147bde7c2a4cdd

SHA512
e9dc4b55f88aa380659fcd84da46ae14199d6eb8d60318e570d0e82cf8930e9ee18ca400ae8e45fce8ac425b0a15e2d6c630cdc8f92a2ca8c5ad9eb8d8f41fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\57c4ebe5-8d4c-443d-ae6b-811cfb1569df\index-dir\the-real-index

Filesize
72B

MD5
6e91bae97ef39a1873f0a50b9a58aa3a

SHA1
604f27c23252c7d6c6c98d532487ae12f0436957

SHA256
2cba03b2b52624e070096b71187e2e234b2024d75366c48b617aaa6c5a1b43bd

SHA512
ab4d48e7203808f677917baffe2b22b2ade945e98869dcbd3b84678bf5902f11855cb67fc147578ae9daa970bde2363b16946b744cb77d3d5bd586c3d435de39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\57c4ebe5-8d4c-443d-ae6b-811cfb1569df\index-dir\the-real-index~RFe58a91c.TMP

Filesize
48B

MD5
a574db56f8fd95ad6ed8c229377fd890

SHA1
0d8a519682607ff817e396c681599e1a4859ec9a

SHA256
b58af79f0af7ccdbc8d9b9aaff0e743ee3ef883b5314d7a3c7b9a5c05cf1c447

SHA512
2be1273391f4d7e8c2984062ff0e8f4456d6d52656a8a6998a6eb63f7dd02c50d65830a57ae00b769064496063a0b323bd696133072babf36a7308d53ac1d3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f59aade4-ce8e-4e3c-8d7b-d82264e51474\index-dir\the-real-index

Filesize
72B

MD5
6a800052d17dc62d8c97199c521e1258

SHA1
f55f2881203f59089b2e5057c3b4f117d7141850

SHA256
bc7b1f08935a09fcec250e829c93d41701d49d7600c2e3c49698a3895b56d307

SHA512
98f0d93cee2bb8ab254c34cf729b1a127d56f6ba49308f171a32357fd3991026bda6b393a91072186b0e5ed9a4d9db289051f7e48ee3bd3c0a07b3639e6a97c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
7d834f3c4b345f97d575b35538ea17e3

SHA1
ff13e950cd68574b31fe890b51213e0021f21cc1

SHA256
9f0e2d91ce9af4861a7cc3d22794a02bcfbe45f7c87d9155602b66283a2ffe49

SHA512
4c9b24c87cf00b7e827abdbe40b9919303db9f17090cc4615c283dde10d18a916e102d7b33f38fa838bd508dd6fb2c98e6d7f0d92a38218c5dbbe9fba340be72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
42eb43bf149b3d9c1134ccc3bdc627e2

SHA1
a23fc45c9e50c9beebcc9bb6bebdedd61ca3c41f

SHA256
36080e3202c22ea77953a32bd7f25ebb3ce700c4508dae46fdfefa332a5d1e3a

SHA512
b7eea873a21329bb1a5e900a985f6394e810dbb8a4a1971a979944f22f27953b80080a7ebaaf07b4191a92a3d34f2294c7984509678d9ee17ec555885250fc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6b79c9adb179fdc764370f35abebec91

SHA1
6fee92deab71739b630749662baf45ad6408ad39

SHA256
b56a068b614977ef3eb038574db20df99d45a13042ce2487095b549976e0b63d

SHA512
498942f6afb6c1c28907f7046d73fe42ea689ffceeaeb865b0944b146700a3aa255f905f01627d8279ede5e44da4f225b02c1d27e631d6ac5c282f9d567cd110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588d76.TMP

Filesize
48B

MD5
bb1270e9f28562c02301791bed10b940

SHA1
cd66268ab35762c052d07cb1cc2e5dfb153c03f2

SHA256
471ba0676ccc51162a8cf651869855efa57767d22ed64d7dbbbb85c05e52892e

SHA512
d65881fd6bdbdf78c26970bbf5213855d4e3d41a57c79514c4bace109f1cf97404a2bbb9d20df9bd9d9c9b9ade1dfb46d156c50caa22ea288ffe37a2c4fbfa3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
cea1d49e0a754c8be122f50d579d42ec

SHA1
c7de6fee2484bc20b0ca2ad730d305941f1dd724

SHA256
75e3652f284f81caac5ee3a19df6ca2ff07b6b7d13fb1249d242a4f69ea9861a

SHA512
5acd87ac7a19c663d66b247183676f0826e5ce919c876d36e2c83bed229d8873117d12426755e14aeb332fe77f2c24b0ca91c0cb9821e5b7b05f85aaccb4a4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
6523303f63ccd2e72edcab9de9ee2411

SHA1
f079d5da2432d7df2257793c4dfab8ae3932c6e0

SHA256
4dd19d8f2b6482c6fd44457562134dc909ca4ccb9593f3d52c46e6c282085c35

SHA512
73805256f89e7b7fd98f2fa363d53273ebaa6e54bd7c40d25c1c1c7fb93edf51067f846fad19d9170efaf10dc4529b5725d2e9f0d9021163a8222ca6870f7cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
8c9469d5dec892c27b06db0ea9acab7a

SHA1
081e534628c0b1c9db79b6fb9120311c60773252

SHA256
0cd391e545a34f3dd177406c0103a3d1c0021d2207e7bfba516c454c50608bb3

SHA512
de3e9271912cdff8594f146aecaaf37ca5160bc9c1c8704f7257f05bcd5dce0109ad13ba1847795e6096a2dc7b05115ea80f54f433a49adf73d99af2458114ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
daf8806b174a6050cf89101b43ec8f1a

SHA1
4185b6d23a276b4048d1eb45cb0b8cf3139f5b02

SHA256
a5ec37d06dfa506309f47a32d637e6a394427d6388e5e7ff504069c809724df4

SHA512
7006bec3d332ad52b69c1275be37ca4dd1d161fb7cb38e484925f92b8b6551d50ac30fd1ff2c3a9a09929527cf2aeb07433453448ae94ecf1f5bed9137d484fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
de94c89e1b965e22874e8988b77ba57a

SHA1
d67078c980186fa15181c27fac980a3cfbacb673

SHA256
9933d29de4dc4138ac903b9dabc0bb51750f1ce2050a9a356f1760c61ab6d7b9

SHA512
8c7d34a4ea0f55f13df5947cf3d097499a4005d070d96646bac3ec9ccdf3768ed29a681bf0e60cee9e377b9c749ee842d9cb61c6e677d92cbe022ace52f7fc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
957bd5c96aeaabf6bfbf2374e3ed71d4

SHA1
95601e04ddb5a2fd1b1475c92cb08bf12fef8198

SHA256
f7276c26a6a685068c6505282c6e6d01ecc0da6d189da1afac1a58f73c240a5a

SHA512
c91d652f0f051c0cd67680f00ddaab8404db7a84492649fc48b1f1f2e0ca47af1dae5278207548b998e843828bcefa37a213aea3e8d849202c588b2922c7c023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
73ae135d4e82ffdbec64e6b4544d2991

SHA1
acdc9710ed1aa06d495932e5df6288662693dead

SHA256
54608416bc08eeff8a4b4acbf10af105053aad9575e086ea61a109ad150ffb1d

SHA512
676e0d10dfa13545c6e5ef7e936410a403132b57c9ec95962d6b0e73e428950bb8490c798a1c1c770141fd19706b60162c84aacdd6ac2960df1a6e18caeb0c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
0005bc9954b5b6c902b226d168001ab1

SHA1
cb85eb846229ba2ec11eecf1037dfeb82f9ad69f

SHA256
be6d6c49bf81486e0173a3b6155b49d794d0a26ea29c73f085bdcdb60f987e4c

SHA512
6ccb1f35ba75f981e3ac73d4aa9bf220ed8d29087190f3b750df8d9411a99251f14877ba0f8d20896d31dd13cd2826fbad642387a952706f73567bf93c373943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
a80748ee6a6deb43bc56108e313f884c

SHA1
f77f8e541efadb5fc0ca81abfbf35638f0af365b

SHA256
2b15abab7ed888e2e3055c4565989d38b3ee4d983da78d73e54aea48c6c96659

SHA512
31acd561c4e23152dd5c83d0ae27114604d74404e6e4b9948b3fcaab98142e9fd5392b1c520e5aa31ce5f3dda169ec92a1ce1baacbbd1b904dcfa783f467cdf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
12be5586b1618e29edf7e1b31b5566f8

SHA1
03050b3c20dcbedde53adbc8fd40001a1cb2d5bc

SHA256
b0dda7eb08307271418f4e578fa108f693350f99f26f6d683209cfc24c16db1d

SHA512
b0c8aeed4dd7367f770b06c88572c358e88b6a5a8d85e6d56c1ecf9c47318425b1497a6b6c4ec0df85032052e7fc251335042e353ee88872eff13e1a56cdfa43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
74de4f79ef23d862c3def9d038db3f36

SHA1
3c5326ef705e92f2b3111f12354e6dae94f83b8a

SHA256
6b1709b9356d9730de0432fec10177a07440242c04f930b49bffd9c53c7eb988

SHA512
901543dc97365245982de4cef365c41b0589d70a917b342fab359d1502efb6f91286830043b7f232a22fd5dec24ad8b337930e5f6da50a3300991926bd2812b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
91180b0efd4516f006a124d76a473c07

SHA1
33b28b7c3718a4840a979a1233c27eb2795fdeeb

SHA256
b93f667d71f4c4df019c7e5c75a518f24b4369fceb19557134652ac7d4edbbe6

SHA512
d6ba6fc10e06e590f21cea9e51c9313d5c0225c1046894049197f2d206c5163ee346df80a87fd0365b78baf42c29208e78054d07d03864351c4696da3a4803a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
15a6dfa5f3ce0d595e1a34ac7c288850

SHA1
816a529a3b1f7b7624f1209370f8102a7556af1e

SHA256
0555317a778f29872d0561c7b040060eaddbf0ba92b0b99a67c6b06f24ea2593

SHA512
2e0303e8998b4329ba1a9166542580bff54a9b7ed4cc66f12349092910aae51d39b620f840a65e05a86346169806526eccbab652debd39c0ade92a59d52622bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
91b9b8680b0ab4947e6fc6433c25b714

SHA1
b1013227486df21447cf070e921f5f49d496e08e

SHA256
800f0dfb60e64928063b88359a5a28311170bc4a3714e90241e4837906702ef6

SHA512
dce0bf8f486646c369ad96883ab660a21caba5585da5271d2e44fe8af3468eaea645f9c61ac2a9113fbb342697cf759ac0cf0e6c4c5f0e16ce4751d9349343f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
482760782583ed0280aa5e53bcfe1792

SHA1
c4db3deec9a82ee49c28af670f2502b034f874c3

SHA256
af146a68521a22a24277fd0299f308f77e3200e541293a2ca25a8029237acb2e

SHA512
a31a767b96148ce18e1e4c179ccb25ad624c8000b785b854e4ca2b132542445a1b0d75f51ef607fbaaf0a8c10b33a059e0d035645b57e01bbb7f282045c6754d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
4f7fc775991a892daa4bc83551626155

SHA1
b590c664506598284a06c18b6d9c9d79735760ac

SHA256
c0e5a9a431b78e628eb44ab19607befe6cdedd6136f8de528ab6e028b36e1a2e

SHA512
ab672e9024b906c7a85e65c111bf504e7690e88d5944ec36e99cf8d94050e405e94a93d2055c67458a6b200e86d96e8e44d63d9ddd629fd55c3ee37e648a3f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
6ee758ffeb2f9e9454bfe2fb1dcbffa2

SHA1
c145de7c58671f28abf6520b350bb0c784bd28df

SHA256
42ebb457c746181dddb3191723d1fde9222744b4516e660bfb5f961f486a93d3

SHA512
cb0ca6327b13d9247d842d0e62d0ede9af383b8b6dfe3f209fe73f85a2330725568c28f65d6d6fb6329bf3f8728a9fcf05b3528999df77c61aa6d3c7552f503e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5876e1.TMP

Filesize
392B

MD5
d840c10fc5f258f51e35a67f2b92bb7d

SHA1
5efa42731d8e8b88f20092c300bc99bde9afbaa5

SHA256
ce0887360ca9a25230e90a79d515d0a8b2d3aabc6bd8c4c64601308603f0472d

SHA512
78e42c7dfd522ea6a8bba63a00329862a23a07ddf921104de06334a13541aa80eb64fc3f86b1ac2c74e633e78f6a4432ddf3ecb0ce22a8dd15d06371deb62ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.25.1\typosquatting_list.pb

Filesize
628KB

MD5
c26015b2460d1acf6859aad730dc8f4a

SHA1
9c772753b62eaf995e39ea5ce1ef86454b58f169

SHA256
5d816db5713aa5d2fa0c1de5461729250439d7609d95bd65623c0ea62da192c7

SHA512
ef72f6e7a4ac1eab4c59ef0d90f884e29880a305ca262869b87a90462897d182a45b38fb074d704205a422cb886214c05aea6d0701715917b3092cb15559a6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ad4bff67-e23f-49e8-831a-667eb4fd4084.tmp

Filesize
41KB

MD5
c8fd913a4aadf3422a9c1cc527ec6ec9

SHA1
63a56ade6b10c9b0060e325eb9a13e2a7d89630d

SHA256
5be383c83dd05dd37114bd21e8e9d275f72189acbfe323dd25ddcfb0cde05274

SHA512
f5595a375a1818e63f936bbe46f188901a22e3fcee89760214c47ca323e9ec5c5cb886c9bb47fa6c2989071d962c81cd819cb3e9d2faac250390be9a6edb355c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\b268ea84-fcc5-4440-a29c-11a0af3208f0.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Filesize
10KB

MD5
7a2c2f3398188d10b1099cc5c220b752

SHA1
065d29386d45a7b3bd91492d23bb9a9a6589b35c

SHA256
d3992fe6ec437f846a60cc04fb30f08b53dce4ba39d736a46c14e424777c7869

SHA512
8972661cc3237799ff472419a8827b883728ac1ee2f24bc223cd6750f2b164091ab0d966c8c7608fb7d2d66b322b4b229b6723bacb507d1fd09c31d7718f0dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Filesize
23KB

MD5
87d7026646d4867f873c17270839dca1

SHA1
bd7b5b3e80e1369dc1d253b4a3cfb3593291af6e

SHA256
468e8af777e758049e568dc8dc66432a67479ebd4e8276e37e872ae78fbb0a4c

SHA512
2926a8731fa928df1723230599c057a7c92847e7767b95d6cbc7ce32a72eb3a37ac247e6dc81cada8c6384310895c9969ce0694382d8856ea8d61ee90492bc42

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storek

Filesize
264B

MD5
014b07ce3a9e39185aa6acff0f84f7a2

SHA1
9177dcb135fdd7734694540dfe79fcf86602c4ed

SHA256
aaa4f9c1ba2f4a6e765547db0b74c16db798e748b8af8e12eebd85d9b5fff1bc

SHA512
42ec34e0e5151d13943e43e56ed951d50ee0bcd0f95f815bf6a3049da109ce842f3a1effc6be45f9a61018a2412917ad8d12c91140f2b9d48d5f72d758ae9204

Download Submit
C:\Users\Admin\Desktop\Program.cs

Filesize
748B

MD5
7ab4c441d106aaccbbd16a0b17f7f19b

SHA1
41097b830624aac6d8d555259db42dcc1e8d7c56

SHA256
30c709eb5dccb4a0a125ca99aa2076e93324a4be63482f6a5d196012751c0ff3

SHA512
b93cd769a20ae3e2c00161ad4cbe3b83501f31a27f73c73688da2f5e429f2ceb5d316864f1b5c7852a226b9cf85a25dfe16a4b95822583cf4b605f0f13e0c9f5

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier

Filesize
285B

MD5
56d3eccfbd929e83e9e6167b95340c24

SHA1
6a6feffcc885b50f085b053bb319125326ee3923

SHA256
441619ec1ef07542b6da169f78750054d093db0f52b5322ea187b1701d31d297

SHA512
3ee34e4d2389ab79e676a316f28eb1bcdf24f055e3d136d9a6a0478265581705fd6a1bd03fa8c441fd189a02febf92fe5515e8b7d81c459af0cbe5c0c2f80caa

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1012398925\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1066399770\manifest.json

Filesize
118B

MD5
3004ab7c9e3747e5109246e7f6b3859b

SHA1
ac4c574c03611b8bc675e878a1be8124bc32fb48

SHA256
1cb88f273e7906a853670161b6c75fabdd67f67c91b96a78171e2877b88eee96

SHA512
f81e8de5d3010bce31b311de7545353b72a9befd01249cca99e870f141090ba66913991c458f4b5cdfb80902fd116fecd54981cc0a0f4049102247c273f905e0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_1873903776\manifest.json

Filesize
121B

MD5
7122b7d5c202d095d0f4b235e8a73ca5

SHA1
0cca47528a8b4fb3e3d9511d42f06dc8443317c2

SHA256
93b603f06d510b23b95b3cacd08c3f74c19dc1f36cd3848b56943f069c65e975

SHA512
ad6fba6e0710cc26149dcf7f63143891aad4ebba0cc45670d8885fade19dc1a50b542a15b10a7604b6b1be4b8e50fcd5514f40c59b83cc68bd10a15ab2a93c1a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_540830897\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_583683149\manifest.json

Filesize
145B

MD5
92d8fd80d37e7f7ceab3b7f7e9ade68a

SHA1
f350b2460c3d9a9dcf1ed3fb965f727503a7944b

SHA256
2262c642067206eb885632bcfd0e12238155a14c98fd46be587c852471514513

SHA512
8112d4bd7256726fe63dea0eedf8c274f90424d29ee3cc4c360ba0c54ccc1d07ef36faf1a2fe19d1aea1447dd5a6ba6d2db0607161c486e882bcb3c01885238a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_748621717\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_948391672\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1592_948391672\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
memory/3524-3106-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4652-4760-0x00007FFD4F4B0000-0x00007FFD4F4C0000-memory.dmp

Filesize
64KB

Download
memory/4652-4757-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4788-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4787-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4789-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4790-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4761-0x00007FFD4F4B0000-0x00007FFD4F4C0000-memory.dmp

Filesize
64KB

Download
memory/4652-4755-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4756-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4758-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/4652-4759-0x00007FFD51CD0000-0x00007FFD51CE0000-memory.dmp

Filesize
64KB

Download
memory/5644-4751-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/5644-4791-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4750-0x0000000073AA0000-0x0000000073AC2000-memory.dmp

Filesize
136KB

Download
memory/5644-4735-0x0000000073AA0000-0x0000000073AC2000-memory.dmp

Filesize
136KB

Download
memory/5644-4752-0x0000000073A20000-0x0000000073A97000-memory.dmp

Filesize
476KB

Download
memory/5644-4733-0x00000000737E0000-0x00000000739FC000-memory.dmp

Filesize
2.1MB

Download
memory/5644-4753-0x0000000073A00000-0x0000000073A1C000-memory.dmp

Filesize
112KB

Download
memory/5644-4754-0x00000000737E0000-0x00000000739FC000-memory.dmp

Filesize
2.1MB

Download
memory/5644-4748-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4734-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/5644-4736-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4749-0x0000000073B60000-0x0000000073BE2000-memory.dmp

Filesize
520KB

Download
memory/5644-4732-0x0000000073B60000-0x0000000073BE2000-memory.dmp

Filesize
520KB

Download
memory/5644-4848-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4854-0x00000000737E0000-0x00000000739FC000-memory.dmp

Filesize
2.1MB

Download
memory/5644-4856-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4862-0x00000000737E0000-0x00000000739FC000-memory.dmp

Filesize
2.1MB

Download
memory/5644-4899-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4905-0x00000000737E0000-0x00000000739FC000-memory.dmp

Filesize
2.1MB

Download
memory/5644-4906-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download
memory/5644-4916-0x0000000000030000-0x000000000032E000-memory.dmp

Filesize
3.0MB

Download