jigsaw | hxxps://pixeldrain[.]com/u/TcV2BREC

Analysis

max time kernel
178s
max time network
202s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2025, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/TcV2BREC

Score

10^/10

jigsaw wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (937) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
185	3992	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD60BF.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD60A9.tmp	WannaCry.EXE

Executes dropped EXE 18 IoCs

pid	Process
1068	WannaCry.EXE
3168	taskdl.exe
2200	@[email protected]
504	@[email protected]
5340	taskhsvc.exe
3944	taskdl.exe
5472	@[email protected]
1952	taskse.exe
1620	taskdl.exe
3084	taskse.exe
2160	@[email protected]
2460	drpbx.exe
1044	taskse.exe
5868	@[email protected]
4228	taskdl.exe
2312	taskse.exe
5780	@[email protected]
956	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
812	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jmnnaiwukuh022 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
154	camo.githubusercontent.com
180	raw.githubusercontent.com
181	raw.githubusercontent.com
182	raw.githubusercontent.com
183	raw.githubusercontent.com
184	raw.githubusercontent.com
155	camo.githubusercontent.com
156	camo.githubusercontent.com
185	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-20.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-36_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-64_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare71x71Logo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	drpbx.exe
File created	C:\Program Files\LimitExit.ppsm.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-80_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-96_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSplashScreen.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-36_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SmallTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare310x310Logo.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\x_logo.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SnipSketchSplashScreen.scale-100_altform-colorful.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-256_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-64.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\Icon_Xbox_PhotosSplashWideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoBeta.png.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2021.2012.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-36_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-96_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-lightunplated_contrast-white.png	drpbx.exe
File created	C:\Program Files\ConfirmClose.xlsx.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-40_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchMedTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadStoreLogo.scale-400.png	drpbx.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1890059008\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1185620335\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1185620335\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_478358612\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_478358612\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_478358612\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1357474366\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1890059008\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1890059008\office_endpoints_list.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1357474366\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1357474366\nav_config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1890059008\smart_switch_list.json	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874794321634783"	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{3B4B0685-B15B-4F28-9A92-6A3FEA456C55}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1980	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe\:Zone.Identifier:$DATA	jigsaw.exe
File created	C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe\:Zone.Identifier:$DATA	jigsaw.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5340	taskhsvc.exe
5768	msedge.exe
5768	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5700	WMIC.exe
Token: SeSecurityPrivilege	5700	WMIC.exe
Token: SeTakeOwnershipPrivilege	5700	WMIC.exe
Token: SeLoadDriverPrivilege	5700	WMIC.exe
Token: SeSystemProfilePrivilege	5700	WMIC.exe
Token: SeSystemtimePrivilege	5700	WMIC.exe
Token: SeProfSingleProcessPrivilege	5700	WMIC.exe
Token: SeIncBasePriorityPrivilege	5700	WMIC.exe
Token: SeCreatePagefilePrivilege	5700	WMIC.exe
Token: SeBackupPrivilege	5700	WMIC.exe
Token: SeRestorePrivilege	5700	WMIC.exe
Token: SeShutdownPrivilege	5700	WMIC.exe
Token: SeDebugPrivilege	5700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5700	WMIC.exe
Token: SeRemoteShutdownPrivilege	5700	WMIC.exe
Token: SeUndockPrivilege	5700	WMIC.exe
Token: SeManageVolumePrivilege	5700	WMIC.exe
Token: 33	5700	WMIC.exe
Token: 34	5700	WMIC.exe
Token: 35	5700	WMIC.exe
Token: 36	5700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5700	WMIC.exe
Token: SeSecurityPrivilege	5700	WMIC.exe
Token: SeTakeOwnershipPrivilege	5700	WMIC.exe
Token: SeLoadDriverPrivilege	5700	WMIC.exe
Token: SeSystemProfilePrivilege	5700	WMIC.exe
Token: SeSystemtimePrivilege	5700	WMIC.exe
Token: SeProfSingleProcessPrivilege	5700	WMIC.exe
Token: SeIncBasePriorityPrivilege	5700	WMIC.exe
Token: SeCreatePagefilePrivilege	5700	WMIC.exe
Token: SeBackupPrivilege	5700	WMIC.exe
Token: SeRestorePrivilege	5700	WMIC.exe
Token: SeShutdownPrivilege	5700	WMIC.exe
Token: SeDebugPrivilege	5700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5700	WMIC.exe
Token: SeRemoteShutdownPrivilege	5700	WMIC.exe
Token: SeUndockPrivilege	5700	WMIC.exe
Token: SeManageVolumePrivilege	5700	WMIC.exe
Token: 33	5700	WMIC.exe
Token: 34	5700	WMIC.exe
Token: 35	5700	WMIC.exe
Token: 36	5700	WMIC.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe
Token: SeTcbPrivilege	1952	taskse.exe
Token: SeTcbPrivilege	1952	taskse.exe
Token: SeTcbPrivilege	3084	taskse.exe
Token: SeTcbPrivilege	3084	taskse.exe
Token: SeTcbPrivilege	1044	taskse.exe
Token: SeTcbPrivilege	1044	taskse.exe
Token: SeTcbPrivilege	2312	taskse.exe
Token: SeTcbPrivilege	2312	taskse.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1240	MiniSearchHost.exe
2200	@[email protected]
2200	@[email protected]
504	@[email protected]
504	@[email protected]
5472	@[email protected]
5472	@[email protected]
2160	@[email protected]
5868	@[email protected]
5780	@[email protected]
2992	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4740	4796	msedge.exe	81
PID 4796 wrote to memory of 4740	4796	msedge.exe	81
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 3992	4796	msedge.exe	82
PID 4796 wrote to memory of 3992	4796	msedge.exe	82
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 844	4796	msedge.exe	83
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84
PID 4796 wrote to memory of 336	4796	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5472	attrib.exe
3144	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/TcV2BREC
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffba3fbf208,0x7ffba3fbf214,0x7ffba3fbf220
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2272,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=2980 /prefetch:13
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4004,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4056,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:9
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4156,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4140,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:9
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5376,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:14
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3564,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:14
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3860,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:14
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4124,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:14
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5896,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:14
  2⤵
  PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5904,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:14
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5904,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:14
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:14
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6224,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:14
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:14
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:14
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6344,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:14
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6868,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:14
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6368,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:14
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6984,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7044 /prefetch:14
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7256,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7384,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:14
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6348,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7452,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=7668,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=4536,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7440,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7316 /prefetch:14
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4600,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:14
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6012,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:14
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4220,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7780 /prefetch:14
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=8028,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8068 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7980,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7240 /prefetch:14
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=2004,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6956,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:14
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:14
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8216,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8240 /prefetch:14
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8232,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8428 /prefetch:14
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=8040,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8100,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8208 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7216,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:14
  2⤵
  PID:6100
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1068
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5472
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 116231743005869.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3144
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2200
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5132
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5700
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3944
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5472
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jmnnaiwukuh022" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jmnnaiwukuh022" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1980
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3084
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2160
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5868
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4228
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5780
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:956
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:1796
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    PID:2628
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6480,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:14
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=4100,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8244 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=8328,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8348,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:14
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=3488,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6384,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7228 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7712,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=7152 /prefetch:14
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=8104,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8020 /prefetch:14
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5616,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:14
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6228,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:14
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3380,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=3360 /prefetch:14
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6960,i,1452162490225116303,17298717055069992816,262144 --variations-seed-version --mojo-platform-channel-handle=8064 /prefetch:14
  2⤵
  PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5396

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:576

C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
"C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
PID:5256
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2952

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\RenameOut.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

Filesize
32KB

MD5
829165ca0fd145de3c2c8051b321734f

SHA1
f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e

SHA256
a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356

SHA512
7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
802671ad2fa720e1286f1385be0a764e

SHA1
96c501c7628cfd17ca5b5d5aa1d7ea63a92c7da9

SHA256
0f4a3b05627632566c692919f5c736e94f5eddea94eff4a70412964d7c156db5

SHA512
aaf1a8bb1a6b3ff745bd26fb109c57efb42315e5476ee7798a8f39805c00a1f44b4583e793ab74d4863297a7500c5662c3438fd09112cedcaded39f8ca35d0f9

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe:Zone.Identifier

Filesize
86B

MD5
1d726d00a7033a5dab753d6012eee269

SHA1
0eec68c618a8c4d44299dfb8415b9add0eb03863

SHA256
fcce59c5531bcd9542bc0fcd0427669e9527e71384a83a31199d91f157a01928

SHA512
c50f27a7ed7f26f928fe740d4086c863e7a3c5e86d85cd99ccb83534e6d58b662cd0e4608ac4729774d7028cd4b62e38349e94c67c80a8ecec9c5d637b1b0a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
02cf1313b32a8ab2f031cee39bee8fc3

SHA1
861cc0ab9ff881460dd6433e37075b822aac9355

SHA256
7e7fd13903a8d57f314d9e7dab6fa28975050b63f045eb315e96cccaa17d1e61

SHA512
f5464c94391bfb590f6755c2ae6896dd459a2a93d778601caebf272438c2ff127ec5de81dcf8efeec65a56609558477afc7be1c4993977a18fde7b915f7a8700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8165d331a65e980c7f75dba657342854

SHA1
44967c0388744de38b07e07e3a9cb174854eb7bf

SHA256
08d7b1fa1c3cdacb73cb9b34bb51a0516bfeac2f10ec54f2f27469d1c97820a9

SHA512
ee23180ed03c5042d6e6343ac2181a6d9ffbbb775e1031222e46b4a61eca4f1caf2dab50269271a07b284e270195595c91ce8c43d4cef77c8873845216546e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
de0256f0ebe8961df6cf81982a05bb30

SHA1
486050426f9853be287a44d7b599c30156b98c5f

SHA256
52e5563ca4893cc7392eba4b43ee7da510e80d59843fe7cfc35a0f26060c8101

SHA512
00a806d63de592110844a9722dfa827562022c4f3ec57fab4d84e4461691dbc238b01e68af9f463afb713c61996c8b99067fc07f02b50b7951b0e6f6833f01c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ab

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ac

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ad

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ae

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b8

Filesize
21KB

MD5
cfde5ccd531fb5af3c5dc037411ded88

SHA1
c21cfb1fe74fdee797b87bd38e39b972a6a2df5d

SHA256
aaf59bc42b50495949cbeea535b086ac971159d6c96ccd9425b9752ba4f5f225

SHA512
8e737a1eb43c6f92875d13a0d76a47a2d3e191e42713cc51b4996697aca3244fe8412a7b00c591b098ee46d3f243d377800525c3b97f332563192ea5531b79da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b9

Filesize
21KB

MD5
eb5f2f8b27b3794eb0b9d7302f3ed208

SHA1
ceb14ae185daed71ebd356c06f067ee90ca75a3a

SHA256
16a56eb5759e2174470278fec544af28e58f93a2e895141c140eef9409efeb60

SHA512
4c1441f9bc16c6c03df5c727c75e238d41aa24127904f86d18eb755564765eed86674de1d6d19406c2f9085454bbaa26c9b65f31973a364906878a9fa4688eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba

Filesize
37KB

MD5
bfda78672fa2098a6c4266a33e799f69

SHA1
7a51f4a9980e6f9d5a484d12fa3e35baddc753e9

SHA256
bdfc29cd8b54192ada7194936da17428629bb5925e31a2846682571bebe402b6

SHA512
7d01483a7da3941afcd7b1566c868018ac80927209269e98a6dab0078c1a14c0a380402efdd5b257e0a37ca6b45f68817dc774cbb32b5e7ba5f3cdefc2bc72d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb

Filesize
38KB

MD5
b8103746b4757c6332fe545f11de8f70

SHA1
588965d6333eb015af39c7f44ce71dfac67fb0f7

SHA256
4177d563a186175d3a67091c399db6c57fc271e202406e244d4bc8ad95b1aebd

SHA512
c83bd52d674d90752dfffeb76971a4f9684054d6f02cfdbe8f336758ac46d8b430f306cc64be00112b8c38d191afd1b8395d58600b12cefcb6a052ab70214ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
5f1a0ac091c5d2f838f061b237abee68

SHA1
3b302408a288e705efc6462a655843a8e4a8ceaa

SHA256
309e66b26d570d6887cb395eeebd5b9a0971d24b1740a0138e3ba65ce7bc798a

SHA512
ba091d8e5e63dcf94ec4ccae2d25afb5dacb2da65ad5f92a5fb1214cf252e2bdd2d96f3179a4b20197d79d2d836f38cfe64e7efcbb05fcb1201733ef2b163a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
57989fd8c9e4d1a65ab15efe9b95df88

SHA1
53c0fab2aa9a398f748c27aba0bf3531652b4076

SHA256
a945c5d152fe30a6682f8e2c4ed7df6132a50dfdb07c557338afc280ec48be46

SHA512
c22ad0754bae1e834e160d6e8f32568b6097420e5f79e8ea14abef597e8f6fb527b30fe4689768713c169291e5c60f79cff32e85fa322f115b8150a09bc5054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe589749.TMP

Filesize
3KB

MD5
4b3b3271e1cd82290878d2da2ebb95c5

SHA1
f8df52d3e87224453c306d42ec57e51337c4a723

SHA256
8a704ed7b35db0fae937220af301ff8c7ca6f3f1dbafc1104776f4f88f81c712

SHA512
290c2cb3196c095ac6584430a7b4d0b9df278d85797d1125f8e0bf53869391ed50d6270fdfdc6736d9fde26eaa24da21c9364a47881c1207316b5a9719d35d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
fd44362edaa37dcebd1ad3427ceb9d96

SHA1
0e452a0d3f474c88da0cca860bded8675a9c0596

SHA256
131577573b0c9ebd9add8277c954e33688b5d46e73e2d507cbbee877bbcf5f73

SHA512
3445854d4877421a8f0858d1e0fd38b2cc603bf062b3171af67dc4ff1b7b249a44535e77fee29e9aa0ac01197fd85ed433f13ca6c3f86ea3c1ebc2829ba2dce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c4fa6047195b87dda5d37f6880a3f756

SHA1
dbfb8074cfc4e85a082b04562dbc0058e3150319

SHA256
11fc4444cc5aff7840bf914663018d932692aea9abd9c790ca1c39e2fef41a35

SHA512
436bf3095717216d6ba27cc22bed2a9b9ccc05413c2f85f86ad5325006858262ace7a0ee44f8f77a07f3fdcf13b46ba53089fbe732a12cb95bff8d719e9de6f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
dd86ff10dd06c91018932f96a5792fa4

SHA1
5a5d88ae0aa29af50b9cc84043cb3aa648ef27ec

SHA256
d5a8ce80ba76db658b57014c5368e277082c0c9675962c6a9a6047c1d29006dd

SHA512
940d24d3086fafdfe307d52ca8f22031ced7869afa69b34d2d0b9d29c1196efc27ef187281f18cce53bc665eb48a07ce5b8f4a715ca7a8a33adcf2fd05ecaf27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
9edc925902d708001fc5bdfa64805613

SHA1
b6c1e1c4370d71174b9a913393e27d37f546c628

SHA256
8c983eb54e59e62582b606c291a586c4d8e2d1c32e667ea868c910e640f7a774

SHA512
ec1baa3e3abea9d99e8e26e6dd22fa6eb3bf33009f5749bc91dc2321933a756d01c75cb250db71a98f14ea0bf51548b44d3c31d3185282d9bffc254d8a9b5d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
bcc81298fa823bc93454566f65f2c5fb

SHA1
72080fc5ede16cd57bc101d8a9e01ca147351cff

SHA256
ef0eb8a2efd7776a827d70cab4c637732f80bd0064f85c50d49572aff1c89b28

SHA512
7de1a022c191ffe80496e8e6c1bf14ae7903e474a8fdb6a55e4dd733a78524d9569f534b8700c0a4e606881b6d5c1ec6604915cba91b97958b7099fc7087ef94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
47ec1b30e68a82c0cfb30adb638b379f

SHA1
b5f930602b5ede213864c913c69b55308aa9afdc

SHA256
f9ee0c45f4d9d7d562af05e16aece48d312ae188bd6bdbbed88a6d04dd630b7d

SHA512
e7e37596c761169d77f0408f33f7f07bce384e11d5943bfb82f5a5b340d1fce977b69764cbe11f5587063e0699a0c95ab2351e8b45fff32e212ae8c77ca48d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RFe5837c4.TMP

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
0f948401364d24b89743bab00cfa81c2

SHA1
8033989142c4a26d2319aa4d740b55bf0ffeed5b

SHA256
80b8ce7a1a681d3db040f28918ef0204622e522acf6a9128056da50168791e8b

SHA512
9f00b3f9208b4fc3c41cc0cae40acbdd076196041fdde0dd9f9ef023a0f57835e6223c2ac3d0e48a564be3cfdd97fa7512b2e5e837c85cc855cc85df4d230e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
30KB

MD5
832a9e6c68a7cb84ada5e6d51d9ee9f5

SHA1
00e1390c6516a01c21d963316f94c1f3942819c2

SHA256
cc8071f23ff049789f8f0273a7dc9e9e2204f783db3b45862c9ad4b61739260f

SHA512
e31f79549352c23bcf1d7d2aebea5cb1de5807785b9f9417b89a3f32243a7a219786728e4ac4c2ba0302a0663e419c15e628e9572ec888e9aa11690b40392aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
31KB

MD5
a089bf90b38cd00bf9084d78f9cbbc67

SHA1
5029c26129bdd901ca551439c17eba94c6e5ad55

SHA256
a76d65cb956f16f05b14526970e59de42f5ca799254628cccb365ad8db9eca17

SHA512
e4d879a5708b7f67de16e7be87129e0554021284b004a8e7491e63215ff2600cffa8ae96df5ee2d3b7166960afa4189469b789c39e7e95b23730774011c0198e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
aaca11e0a8f4149cf998c1b4eaae321a

SHA1
1aa8e0d0b06d889292f71bc23d719bc468e04246

SHA256
b69faa80b5f1e950d1ea6a37cb3d58ba1bc2fe51bf3a174dd04faefd70353c79

SHA512
5cd139eea16159e4ab443681dfed21c1a6e7792ade285db10407539e1e7ae023ba48a97b095d8d18a985fe00e1ecf03e845a7591ceaf59d0f620912d1657211c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
9671e98987800de3dc6eb6a9177e906e

SHA1
63e022fe4d4f861d13b130210c9e70df7712bf38

SHA256
ec9f47e9c91d84e6f936fc63f0d431433d4024854dafae5dc462a52487ea49bd

SHA512
51b97ccdd79f674112af0ea49f115fbfa5053f31acf737bbea6cbe7a9940bac0d6d1934950300372b0a62cd45f271d352b22e7b142031cd73b2f978f8d0684f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
30KB

MD5
42ccc1122a203d673992ee9d11c4dbb2

SHA1
bcf65f71c8d150cde63617bd99b86a85fd7dd170

SHA256
59ad01a2cf60c7f3f23f9c200fad47409ee2b326efc6669c3d6e97ed119ac12a

SHA512
cd597a90e16d54e106da35a84babd5c53aeb201b38fdbd4df5670eb75b543fcedf1f08e296b5669656461e731922c70f0062b3ae93fa235c9c8a05f5137352c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
91868adbb260ae94798296a4c0f8360a

SHA1
daa7216efa2784047fc6d49f001c4a2a390ff5b5

SHA256
e4cafd81f0501c06a23ef15181481a4a9fb78471f80a1f20aca77848b7679500

SHA512
8524d4617fd4c3c28878d032f09509a44e166aa1af5fab9e051aa43b633b4f29d8f02e11a074358bb40c242c1bf38b7f21d07a4a4417d314c7cdc813ad9b337d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\04ed89ee-515f-45eb-9065-1544ab48f761\index-dir\the-real-index

Filesize
72B

MD5
9cefd35f888a3f63d5aebc6e3d643776

SHA1
bb44f39f9cb52a116f50f7a7f17714efea76b86d

SHA256
910f3e7b32a1c4c79eacd800a8c81091074af0aaa05269cb90b0852a39411ef5

SHA512
2ccccea1a04227ecafffdce05f2c32cb7412595890b4d6c3cb931feeb9a550ed08e6a26331ccb0f0da430ae29b28ee9b04582a7b4622f1a097a40b7d8ef686cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\04ed89ee-515f-45eb-9065-1544ab48f761\index-dir\the-real-index

Filesize
72B

MD5
172b708ba0e37a2ffbb49256356e43ec

SHA1
6b04c03be20641c9e6d1507cfdf57e485176a4e3

SHA256
c7d4f2ceeaaa80092559bb3134946ed7ae00f1e9e3266e0854f64740ca2a26ea

SHA512
f6049bb79e63ae23600b2a71f078fffacd7ee861b0ccf4543efad72788ac04a54c98e0a2685c81c7c16929716ed7200e6015e34d54875d60bb8405ec66ea241f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index

Filesize
2KB

MD5
8a4136343aa7923819ca1c5d019398ea

SHA1
882fc23135d2f8fb05d119c8b0ba3fdc2bd359c5

SHA256
2cdbb525d0b586499f8a2dcef4c27f4381bbcafba1d1b8a425ef3f029ea1c23e

SHA512
c245b96d72ab98ed4d41f19dc8b3adcdeacd125b4d89ece5b9e85da579cd0bc1e0e9a86e6cb152272b3685376d6a11f06fd5aaa160fff5560ccb8917273b6383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt.tmp

Filesize
253B

MD5
0df37b65481f594a35d61c077a594919

SHA1
d70b4a100a20d8e3be390fa9d301a6f117bf730d

SHA256
98b02683df461dbda8498e6ec53e6e5bbb017c2cfcae4f274cc691095fa18755

SHA512
08c9b83c1134c54c293b0ad876531c42bdcc99430ee4cb66dea6b1b08d45db2b49460cecf2807d924f6d3b8bcdc2a5b39e3debf18bc67cb4ef4e1ea5f36e2d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f7a828ce5a932f4a97ac6db7b0379ad6

SHA1
7053a8ee30f7a26e3e4eef7a88aa68c30dbfffd4

SHA256
129b730fccdc8b550415ce4ceef4811a2d0b6177cf83847cda45e031ff480afd

SHA512
85bf1e0e890c7bfe2d876833b374ccb1218ec65dfb39db13d12a5b12dcd03a85ae1a730dfe5dc75fdae85ef5a1800df721b1c24e553a0be15e79c7ae02d961c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581de3.TMP

Filesize
48B

MD5
ad8afd8d5b8fcdf3d0b380a44ed96027

SHA1
5c2f6003d679ba14d7fd202af54f2a85a1b9ff65

SHA256
4ec6a51c503f34335e1b5358de4141e4bc054e553b67686611d7d4f63943d49c

SHA512
1589633d8e0436c603fb84503faf0c14151b8b9ef7e4cc177d4ea7dec6a6d50e17f820611d7c31ca759f4bedf4043ad65252eb2b11c70b21bb37eb9b327c8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
3c18aad979bfbf650ef828aa42ad2577

SHA1
7330b3e863a1bbdff962a0325646e39002019d36

SHA256
99d61bdf54f66993fe085a986bc9065bb60dfd9cfecd64f54765440481238dff

SHA512
ed438121f22c6a45c0f8748d0ce3aa88e67f1852e4f9044341a6bfc0e471900131cd7e9ed882f13afe1619d7e2d08bfcfca7a5fdce0697b82f210512c8a87b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\72527e9c-5486-4d3d-9b60-9bd70d790ac6.tmp

Filesize
21KB

MD5
97ffbea42e9a0795865f12dedaa14292

SHA1
82b1a9a09d849ca8e55914ceb05677991729de10

SHA256
84db83a7515ea99283ea322d6ae8a7e806287e7e98771a53a5d0e3ff362ecd16

SHA512
884e56e3e7419a5ce22725d8b39b6d9424c882185762fe6ebb3a5c67d65e87b846ecce8a26491019acd3ba79641f489a32e20e2c7b99576315352cca1f5a13a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
82e46aa591783785bd4c94b113a6fcb5

SHA1
1c56185a6dbbd758e4cc261990556e0d57a7d471

SHA256
0618da08bc0f3ed1df92ee89de2708f95b234ad59dfb2194b30cff2f382c1b51

SHA512
006aa50c57d3a376cfb0789f4f9869c5c5abe568a9505a40b0a95c23bbe755151bfa024542f91261722b1f1bf86ddee8b3e0fce018b4ec8683b10a10b4d3d347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
876B

MD5
7d2fde4ace36429c326d3403f9e8e49b

SHA1
45babb2517814cea533ebc995bdd4a0dec0aff24

SHA256
45b3ec25be9ab89fc083e3246d08c8a0307d1f91febc324c6db440d640c374db

SHA512
ddc772bc2e9d3541ddf9cafdb08156a469ef8ebedd7a6dc8df5a901d55443e2bb8122727b4512f77b1ff99e0533bcf057d64280ce551c6762d090c2f0412b84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5897f5.TMP

Filesize
467B

MD5
925f43c0a38be6494550fe9fc9ed045d

SHA1
ace22eaed0154d111a690ecc1a38aa087dfc8312

SHA256
fd354b8b85a2d1db89e348cabe35e52ddc66b1fa8af2abd2dbf8cf8d4ce453de

SHA512
3aa753ef4917d05257983581546c2b9beb75cdd6a9d5ad93cf1e75b400812faf97c006efabeb2a2d1be70b46a7a564d3dfd43c66e27f0697dc8dd8233c801361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
9867cc8c00f995f6242104f203fced76

SHA1
1ba1753259637b0c392eeaa895e0d518ff7e0963

SHA256
4240c4e24b46a56bc44aa8d4693d256d93205752d63affca6271fec4baf6083a

SHA512
eb3e0978ae3bcba8cece0f224ed2dcf125d29c2598bbb65734c9bf9434d64698ad548fc874802a57c1b1365d1edff47843f229ee0586af31713db399eb1fea11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
48KB

MD5
bb8c8480cca49e26630851e8fd45fab0

SHA1
88498244c554d584c8dababd0e89306ad8d7a88b

SHA256
bc46690bf7892210428cc196d55f33a1b8b6d4bda9ab428e15b552c1833aa6ce

SHA512
117ef41d37d29a5375819e08bc403cf1e51b2a6207e58bac3d34330e59992797c306bf9509d67358bcb2e9b9d6478cd39987e94d4100f3a79bb591e242b4ad78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a03edf2efca0f1120bae8ab8aaf33add

SHA1
8ddc6104d7ea241cf4c3458386e1ea4f69192b37

SHA256
cd808a086b36a2a7873e9f03bc3ed3a27d7564c19d0b7d81fbf1d342791cc079

SHA512
6e11f243a9ca6f8e4a1f360160a8465b257631c22c4338f630690f37c192db43b9c48389ac7685b7b8b3c5d62ac866e32e48fe070d850d1779faab0ae2f100ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
5be28a773f0eaf36903b4f103b39e41c

SHA1
ec0da93b3df3d79e5eb2ab9e1490e1894dc432f2

SHA256
8f7ec9d27ad939bc26f7017ae574a17256a4ef65512d8b6cc75442e8139021f4

SHA512
3676dcbac7b36e19d7ff704d2092c329663d53d5ef4b181b9f57a38965af6a9913a525e68d89e7792ac49fec045b7e71eaa52b50ba9ecc5eb77bf44ec3d91be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e4ecb89f1c89ddb2b4674a98b24737f3

SHA1
8e56efd79d8d9169908adbc9cf5414f4abe12644

SHA256
279195067c902284122364feb434d2419f563025bc403df42e789714a9aceebc

SHA512
d30fc3d2c7372fe1f12ed24d891ba0aec16b98b26f121a7d3d9bc9de04f099fef2ebec1ef8e6619734d9d5e25720820c537b6ffb2d7567755e879d4b3b85ba97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
56903822512eff71dc90f79960bdeb31

SHA1
d24720a917f42adb07bfb867487c0e8528ec7d05

SHA256
674685e81760cce635c4b1a0876e1c46dbf5a21f892ba7114710d3ea2370b16c

SHA512
cc17f8d5532fdef1c49b015a86631b861e96657763c7174a444090783305a05e91bc3d0aadbadb5a12ce53ded6a5307e9c1dbad75ed8d43f64e41a6caab777f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
31KB

MD5
227e3dea5d51cfe9836c24c55f497d26

SHA1
c755b1b6bd32ceadf9c44464bfc04dbae872c521

SHA256
cfc5f3a931f7386e0ca827b650bfd4a4be1042a0a675a7e9a26ca379e8fb55cd

SHA512
03a4436b64894cd10980d58841f9c78322e481c20d852d7fb32c35b6ac05e34855599d8ccd0ffa3ca6cf3eb57d328048d9e1f9fa654c3ed69d547dfdc836695c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
f67b1ed88c19ce24e242c0405192be11

SHA1
8428de061c4d3679ddaeaf33004234a91a7997c9

SHA256
6054674e2afa86318f394f4aa2fbf909af29fec507e6ef86f61ba4fc7ba4e67e

SHA512
2a08b3016178b79ab6a466e603d21c3fb760484a87957a3a7ca3fdd23422d8c02f6ab1399b5091bd938dcd9b1128b2fd5f464bd3272b935164fb1d05c07dd20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
5ec12f571b5933cc8e2e8b6541cc2331

SHA1
318b8fa630ca52b93c992fd99c4f7f09da8f12c9

SHA256
d80ed54d206f38470ad82e6525fc831e0ff645b80d99e3089319418126c6b471

SHA512
743f0344727f0d8e3690fd311ff17b204754dc23f183e5ad1ce20892790c725be392c173fe8f93a9116d8d0185a35e8d315456dfc3a5398c25df55ad13cbf901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
24726b910bd13669fe895022358ed947

SHA1
8f95273c150a45807644566e960cf2b2aeb771f1

SHA256
a02b1d8bdbb1b88cf167ab2344d2ef07df622d3d16ed85f32aeb4a0c1ee620b2

SHA512
b156de9e97518604c16347810f39dac18aef8dc6039ae089378061b280123c4b1eb086230c72f566e39d1486ad28ea7f6fba200aad5221d27803dd0a14a965fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
d430be9351be9af7eaa14ca445997b9f

SHA1
8050f23eac37b567e5ea3d46eb95564506ff95b2

SHA256
4f0c046e4638339cbbe6346aa049632bf1a92ab0db0533c3b74e0bf04d179da4

SHA512
4fc3d64d779db97e9b23ee04fcf3b49b2778c71ee4e484dd63ed222eb47f0c84862bae758f7bf749026ae742244e6a9b36dd4ba66bf4582f43c8d93c7b19807d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
5f2133a6da04998ea6a6e55ef7317ae9

SHA1
7fe6586090e520df062fe2ebec3b9009f4a05455

SHA256
ea17bcae4cbdd150ffc191e8a3841c46ae9d8747f70a1ad31d70e5a77e9f9f06

SHA512
93fc43105524836924e93a87cc8955af14ec9cafb5bf410a356bec182e2bda1f0cc1e215eccba60470ba728799d331833b66cb82679f2965b3a7bdc6d4084cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
715afd9da03b61ecacdbae1e614cf494

SHA1
b2a295be782661b00729bf10ea09b8b75b028ca4

SHA256
d16e21562e05b03a1913995fb27cf8f5e645b668ad3ba9bad85ff0f214761ac2

SHA512
8955224061154892d13dd33512ab7694abff90f17dd0ebcda4b65420f7b7760be74a08a07a2ba937f9ee78d16fae4339b52563ccfb82d298fba678235c43b432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57fcde.TMP

Filesize
392B

MD5
a1a0d98977c3002cd458a28630ec4c8a

SHA1
ec0053e6a1bf294bc7f0edeff5fb8fd96dff4577

SHA256
359edb1072d9fa1ad605bcf9efb6b8b106b8b630de0fa5c2918e872879ed364b

SHA512
ef3e7d9eb6755633851f1610cc44da6d9d6fa13e77b8cb75a26a5d5ab717931404d843a0cc0af19ec50994fe035811381e75fc34343c7b57b9a76a27fe9866d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

Filesize
8KB

MD5
f22599af9343cac74a6c5412104d748c

SHA1
e2ac4c57fa38f9d99f3d38c2f6582b4334331df5

SHA256
36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65

SHA512
5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
22KB

MD5
88ae3e5ae5d8f07d6f2da60942cc50dc

SHA1
cdb4aed3ec05fbd6aa3221c92f27d286b519b267

SHA256
b009fccb5d7af1a8668dee153e52901b28ec85fca99bd8d5795de73c4f72e968

SHA512
10f5e8482886e9be888db5190d87ce9070183ece74d8f61fa4b8e1714d9d12d6d152c108f1ca78cb121aeb2d3344be4b3c05089b83a0c149d2d0b7d2529664e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
22KB

MD5
1eaae9c0d8c48b6d2049a960fa89a0a0

SHA1
c3342c658e2016e5f0d8fe50181b0abc9b3471d8

SHA256
da4fcb7bd7e2265a161693745901255f0aab3e1dd4ab09ca47a541d00ad8bd4c

SHA512
c94d7fe9e6f08a4f38cb69ee033e2651affece3a2c698a97c9dbcf609c69912fd685942f23025c5a66b96381579afd1e2d2d68554889aa2af18847c99c703aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\321683e6-8cf8-42aa-8132-901ae55110ad.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e2e66df-7124-4cc6-8e47-5529b2ca53ae.tmp

Filesize
371KB

MD5
47f070288cabdab007d245a79b9a13dc

SHA1
555f8464ddff225cd153e8daf5bfe7168c43d0f7

SHA256
b446b75c157e694a0a744de345dae4a7d0782222e5e385f1484089ab2783b38c

SHA512
2084bff73714fd2b61e4a51530c1901d81ce70210f73a34e068db0e3cec3a59240ac509964ae77f3e3462b38b98b85e648310a00538b1825818d1f450fd6bdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4b35458-ad33-4456-958f-909c41e7b90b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\f49d9171-ac61-4c70-8b0d-d773047020f4.tmp

Filesize
2.1MB

MD5
4cd67032e35fa92f5182df10df289906

SHA1
9210bfc66bd808ffcd7c6443e160dc8d6754c416

SHA256
efdad7555293ec2d14399c2c2fc9d07228de1f6e3746b27da621b76fe5ceea07

SHA512
f3d83f6e77e4568d2dae539c95acf0a886926a001b4d80f0ea602387530fc333f688ac031b3057e1c2b0375426cf47ae33315f7da9ffaec601102be0bb7221cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4796_851912476\c59e66bf-af9b-4256-9edf-5a981bccef5b.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1E035E8D-F9CE-4991-A7FB-2E6EA8A026AE} - OProcSessId.dat.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
28.1MB

MD5
bf11443881a30daf3c1357b0a24133e7

SHA1
754cab0813c0ceea463ff30bf025c11268cb6845

SHA256
c29971efbb4bb50cccf5151ee05721a579f49899b98b02cdcd44a9c6ac71f4fa

SHA512
bd19f3347e835ee611a657003887f26748a9af725c3d079b4e19c2726c5e87fc0f344125233473218bfc7796c01e3e723bcee829a9ce14f8507d236eadb64f69

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
944B

MD5
6acb0716a3c649e231ee8c9d2ac4398c

SHA1
a34378aa2c11fcd2ceef22eac9adcd497269cee7

SHA256
2e1624989d5fd53dbdc447219eca5678e4a0cd26aea7182b159d7b63a6ccde4a

SHA512
439070d66e52ad9c383af8d4f6d30356a75e101cf75a8be9a83f269ee7c52c9ff3be67665c9983fc0de3ab538698bf4a8cfa9c76eda1fb06a9fc0e932efaaef9

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1185620335\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1357474366\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_163295063\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_1890059008\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4796_478358612\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
memory/1068-2259-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2460-4466-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/5256-4413-0x0000000001B60000-0x0000000001B98000-memory.dmp

Filesize
224KB

Download
memory/5256-4414-0x000000001C510000-0x000000001C9DE000-memory.dmp

Filesize
4.8MB

Download
memory/5256-4415-0x000000001CA80000-0x000000001CB1C000-memory.dmp

Filesize
624KB

Download
memory/5340-3778-0x0000000074170000-0x00000000741F2000-memory.dmp

Filesize
520KB

Download
memory/5340-4465-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/5340-4459-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-4398-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-4380-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-4507-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-4320-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/5340-4314-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-4276-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-3899-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-3854-0x0000000074200000-0x000000007421C000-memory.dmp

Filesize
112KB

Download
memory/5340-3856-0x00000000740E0000-0x0000000074162000-memory.dmp

Filesize
520KB

Download
memory/5340-3853-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-3855-0x0000000074170000-0x00000000741F2000-memory.dmp

Filesize
520KB

Download
memory/5340-3857-0x00000000740B0000-0x00000000740D2000-memory.dmp

Filesize
136KB

Download
memory/5340-3859-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/5340-3858-0x0000000074030000-0x00000000740A7000-memory.dmp

Filesize
476KB

Download
memory/5340-3779-0x0000000073E10000-0x000000007402C000-memory.dmp

Filesize
2.1MB

Download
memory/5340-3782-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/5340-3781-0x00000000740B0000-0x00000000740D2000-memory.dmp

Filesize
136KB

Download
memory/5340-3780-0x00000000740E0000-0x0000000074162000-memory.dmp

Filesize
520KB

Download