Analysis
-
max time kernel
274s -
max time network
252s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
24-11-2022 19:38
Behavioral task
behavioral1
Sample
Convert_mp4_to_mkv.exe
Resource
win10-20220901-en
General
-
Target
Convert_mp4_to_mkv.exe
-
Size
290KB
-
MD5
62878b796562c411dd59d57dc2076967
-
SHA1
8f49669864e863ba3a081fe3bd10d88bfc01a10f
-
SHA256
f3c1bfeb62067c797eb43f47daec11e72c0cbc85d5c26ca001caba5f2732d20a
-
SHA512
49dd25c2c071376ccdf18ca2bc9d6c03a12226d1bd5e7cc04184d87b9e68c75cd4b4b3bd4d135ede3c821a65609ee26d97adecad9b89ccc5dfdc185d6c5b3795
-
SSDEEP
3072:H4dzVTaer344JzthRZijQ1Jf12bj8E7bwcZflRVGLDyHzZLB3VDELbkWSecuwjZf:HmRHz4mnREj21g3J/bwGLjejjH6erO
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8A91.tmp\Windows_Mania_WannaCry_Removal.exe family_chaos C:\Users\Admin\AppData\Local\Temp\8A91.tmp\Windows_Mania_WannaCry_Removal.exe family_chaos behavioral1/memory/4092-137-0x00000000001F0000-0x0000000000254000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3684 bcdedit.exe 4340 bcdedit.exe -
Processes:
wbadmin.exepid process 4764 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
MBR.exeWindows_Mania_WannaCry_Removal.exendp48-web.exeSetup.exeWindows Defender.exeSystemBlocker_Interface.exeSetupUtility.exeSetupUtility.exepid process 4812 MBR.exe 4092 Windows_Mania_WannaCry_Removal.exe 4252 ndp48-web.exe 5060 Setup.exe 1356 Windows Defender.exe 3532 SystemBlocker_Interface.exe 2888 SetupUtility.exe 4860 SetupUtility.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Windows Defender.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareGroup.raw => C:\Users\Admin\Pictures\CompareGroup.raw.sysblock Windows Defender.exe File renamed C:\Users\Admin\Pictures\ImportWait.tif => C:\Users\Admin\Pictures\ImportWait.tif.sysblock Windows Defender.exe File renamed C:\Users\Admin\Pictures\OpenCompress.png => C:\Users\Admin\Pictures\OpenCompress.png.sysblock Windows Defender.exe File renamed C:\Users\Admin\Pictures\RestoreGrant.raw => C:\Users\Admin\Pictures\RestoreGrant.raw.sysblock Windows Defender.exe File renamed C:\Users\Admin\Pictures\SyncSelect.raw => C:\Users\Admin\Pictures\SyncSelect.raw.sysblock Windows Defender.exe -
Processes:
resource yara_rule behavioral1/memory/572-120-0x0000000140000000-0x0000000140083000-memory.dmp upx behavioral1/memory/572-145-0x0000000140000000-0x0000000140083000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MBR.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation MBR.exe -
Drops startup file 3 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.url Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Windows Defender.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt Windows Defender.exe -
Loads dropped DLL 4 IoCs
Processes:
Setup.exepid process 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
Windows Defender.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Music\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini Windows Defender.exe File opened for modification C:\Users\Public\Videos\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Windows Defender.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Windows Defender.exe File opened for modification C:\Users\Public\Music\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Windows Defender.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Links\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini Windows Defender.exe File opened for modification C:\Users\Public\Documents\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Windows Defender.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Drops file in System32 directory 15 IoCs
Processes:
Setup.exedescription ioc process File opened for modification \??\c:\windows\system32\msvcp120_clr0400.dll Setup.exe File opened for modification \??\c:\windows\system32\msvcp140_clr0400.dll Setup.exe File opened for modification \??\c:\windows\syswow64\msvcr120_clr0400.dll Setup.exe File opened for modification \??\c:\windows\system32\ucrtbase_clr0400.dll Setup.exe File opened for modification \??\c:\windows\system32\msvcr100_clr0400.dll Setup.exe File opened for modification \??\c:\windows\system32\en-us\dfshim.dll.mui Setup.exe File opened for modification \??\c:\windows\syswow64\ucrtbase_clr0400.dll Setup.exe File opened for modification \??\c:\windows\syswow64\msvcr100_clr0400.dll Setup.exe File opened for modification \??\c:\windows\syswow64\vcruntime140_clr0400.dll Setup.exe File opened for modification \??\c:\windows\syswow64\msvcp140_clr0400.dll Setup.exe File opened for modification \??\c:\windows\syswow64\aspnet_counters.dll Setup.exe File opened for modification \??\c:\windows\system32\aspnet_counters.dll Setup.exe File opened for modification \??\c:\windows\system32\msvcr120_clr0400.dll Setup.exe File opened for modification \??\c:\windows\system32\vcruntime140_clr0400.dll Setup.exe File opened for modification \??\c:\windows\syswow64\msvcp120_clr0400.dll Setup.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Windows Defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n0unihb7e.jpg" Windows Defender.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Setup.exedescription ioc process File opened for modification \??\c:\program files (x86)\microsoft.net\redistlist\assemblylist_4_client.xml Setup.exe File opened for modification \??\c:\program files (x86)\microsoft.net\redistlist\assemblylist_4_extended.xml Setup.exe -
Drops file in Windows directory 64 IoCs
Processes:
Setup.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\webadmin.master Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.web.extensions.design.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.componentmodel.dataannotations\v4.0_4.0.0.0__31bf3856ad364e35\system.componentmodel.dataannotations.dll Setup.exe File opened for modification \??\c:\windows\inf\.net data provider for oracle\_dataoracleclientperfcounters_shared12_neutral.h Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\microsoft.visualbasic.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.diagnostics.textwritertracelistener\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.diagnostics.textwritertracelistener.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.valuetuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\system.valuetuple.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\app_code\wizardpage.cs Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.net.requests\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.net.requests.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.servicemodel.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.collections.concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.collections.concurrent.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\servicemodelperformancecounters.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscordbi.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.design\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.design.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\corperfmonext.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\msbuild.rsp Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\config\web.config Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.data.entity.design.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\security\wizard\wizard.aspx Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\providers\manageproviders.aspx Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\security\app_localresources\setupauthentication.aspx.resx Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.data.services.client.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.management.instrumentation\v4.0_4.0.0.0__b77a5c561934e089\system.management.instrumentation.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\1033\cscui.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.runtime.handles.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\web.config Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\servicemodelperformancecounters.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\wpf\presentationframework.aerolite.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.web.services.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.componentmodel.composition.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.configuration.install.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\config\browsers\generic.browser Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\thirdpartynotices.txt Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.threading.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\addinprocess.exe Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\1033\cscui.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel\v4.0_4.0.0.0__b77a5c561934e089\system.servicemodel.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\config\machine.config.default Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\wpf\system.windows.input.manipulations.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.csharp.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.configuration.install\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.configuration.install.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationframework.classic.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\appconfig\defineerrorpage.aspx Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\providers\app_localresources\chooseprovidermanagement.aspx.resx Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\security\wizard\confirmation.ascx Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\edmgen.exe Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.threading.threadpool.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.diagnostics.textwritertracelistener.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.io.pipes.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.xml.xmldocument.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.xaml.hosting\v4.0_4.0.0.0__31bf3856ad364e35\system.xaml.hosting.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\app_code\passwordvaluetextbox.cs Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\microsoft.workflow.compiler.exe.config Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\config\netfx40_iis_schema_update.xml Setup.exe File opened for modification \??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.activation\v4.0_4.0.0.0__31bf3856ad364e35\system.servicemodel.activation.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\servicemodelreg.exe Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\system.data.services.design.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\tlbref.dll Setup.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe.config Setup.exe File opened for modification \??\c:\windows\inf\windows workflow foundation 4.0.0.0\0000\perfcounters_d.ini Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exevds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4456 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4240 taskkill.exe 2824 taskkill.exe 3684 taskkill.exe -
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeSearchUI.exeMicrosoftEdgeCP.execmd.exeNOTEPAD.EXEMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeexplorer.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "124" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "376132315" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c0066a8a3c00d901 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133065238422491118" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotnet.microsoft.com\ = "124" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "376100324" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSub = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotnet.microsoft.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 19002f433a5c000000000000000000000000000000000000000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{7AB9D028-F374-4262-8670-103F0C8E9311}" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE -
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob = 5900000001000000160000005200530041002f005300480041003200350036000000190000000100000010000000bb048f1838395f6fc3a1f3d2b7e97654140000000100000014000000722d3a02319043b914054ee1eaa7c731d12389340300000001000000140000008f43288ad272f3103b6fb1428485ea3014c0bcfe69000000010000000e000000300c060a2b0601040182373c03020b00000001000000540000004d006900630072006f0073006f0066007400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003100310000000f0000000100000020000000279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1040000000100000010000000ce0490d5e56c34a5ae0be98be581185d5c0000000100000004000000001000002000000001000000f1050000308205ed308203d5a00302010202103f8bc8b5fc9fb29643b569d66c42e144300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131303332323232303532385a170d3336303332323232313330345a308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f72697479203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100b28041aa35384d13723268224db8b2f1ffd552bc6cc7f5d24a8c36eed1c25c7e8c8aaeaf13286fc073e33aced025a85a3a6defa8b859ab132368cd0c2987d16f805c8f447f5d90015258ac51c55f2a87dcdcd80a1dc103b97bb056e8a3de6461c29ef8f37cb9ec0db554fe4cb6654f88f09c48990c420b097c315917790678288d893a4c0325be716a5c0be78460a49922e3d2af84a4a7fbd198ed0ca9de9489e10ea0dcc0ce993dea0852bb5679e41f84ba1eb8b4c4495c4f314b87dddd0567269980e07111a3b8a541e2a453b9f73229830c13bf365e04b34b43472f6be2911ed3984fdd4207c8e81d12fc99a96b3e927ec8d6693afc64bdb6099dcafd0c0ba29b77604b0394a4306912d6422dc1414ccadcaafd8f5b83469ad9fcb1d1e3b3c97f487acd24f0418f5c74d0acb010200649b7c72d21c857e3d086f30368fbd0ce71c189994a64016cfdec3091cf413c92c7e5ba861d6184c75f833962aeb4922f47f30bf855eba01f59d0bb749b1ed076e6f2e906d710e8fa64de69c635968802f046b83f27996fcb71892935f7481602358fd5797c4d02cf5feb8a834f457188f9a90d4e72e9c29c07cf491b4e040e63518c5ed800c1552cb6c6e0c2654ec93439f59cb3c47ee8616e135f15c45fd97eed1dceee44eccb2e86b1ec38f670edab5c13c1d90f0dc780b255ed34f7ac9be4c3dae7473ca6b58f31dfc54bafebf10203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414722d3a02319043b914054ee1eaa7c731d1238934301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201007f72cf0fb7c515db9bc049ca265bfe9e13e6d3f0d2db975ff24b3f4db3ae19aeedd797a0acefa93aa3c241b0e5b8919e13812403e609fd3f574039212456d1102f4b40a936864bb453579afbf17e898f11fe186c51aae8ed0995b5e571c9a1e98775a6157fc97e37545e7493c5c367cc0d4f6ba8170c6d08927e8bdd81aa2d7021c33d0614bbbf245ea784d73f0f2122bd4b0006db971cd85ed4c50b5c876e50a4e8c338a4fbcb2cc592669b855ecb7a6c937c8029585b57b54069ba0879a66462159d879645b5662320038b1c73a0d3a27933e0505986db2fe50225ea732a9f0014c836c7923be94e00ecd85609b9334912d2540b01abac47b691297d4cb475805201e8ca82f69fccac9c8f17ea2f26b0ab72ac0bfe9e511ec74355674f51b357d6b6ecee52b73ae94ee1d78188bc4f8e75bb4ba8f035aa26d4676749b2704c3b93dc1ddf78908672b238a4d1dc924dc958eb2b125cd43bae8c6bb083e5013ff80932f693353422afdd370d7709802bcd4800f18c9919470501e9d1bfd14ed0e628433799a40a4a08d99a7173d2aacd31136376a1376f92381e7d123c6632e7cb6de1fc5289ddcad666059a9661bea228c71ca3a736503c3aa4df4a6ee6873bceebf0e081379d133c528ebdb91d34c61dd50a6a3d9829708c892ad1ab8210481fdcf4efa5c5bb551a3863844eb76cad9554ec6522104917b8c01ec70fac5447 Setup.exe -
NTFS ADS 1 IoCs
Processes:
browser_broker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ndp48-web.exe.3hzw492.partial:Zone.Identifier browser_broker.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3556 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Windows Defender.exepid process 1356 Windows Defender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows_Mania_WannaCry_Removal.exeSetup.exeWindows Defender.exepid process 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 4092 Windows_Mania_WannaCry_Removal.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 1356 Windows Defender.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exeNOTEPAD.EXEpid process 4348 explorer.exe 3556 NOTEPAD.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MicrosoftEdgeCP.exepid process 396 MicrosoftEdgeCP.exe 396 MicrosoftEdgeCP.exe 396 MicrosoftEdgeCP.exe 396 MicrosoftEdgeCP.exe 396 MicrosoftEdgeCP.exe 396 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exeWindows_Mania_WannaCry_Removal.exeexplorer.exeMicrosoftEdge.exedescription pid process Token: SeDebugPrivilege 4240 taskkill.exe Token: SeDebugPrivilege 4092 Windows_Mania_WannaCry_Removal.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeTakeOwnershipPrivilege 4348 explorer.exe Token: SeRestorePrivilege 4348 explorer.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe Token: SeDebugPrivilege 4648 MicrosoftEdge.exe Token: SeDebugPrivilege 4648 MicrosoftEdge.exe Token: SeDebugPrivilege 4648 MicrosoftEdge.exe Token: SeDebugPrivilege 4648 MicrosoftEdge.exe Token: SeShutdownPrivilege 4348 explorer.exe Token: SeCreatePagefilePrivilege 4348 explorer.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
Processes:
explorer.exeSetup.exeNOTEPAD.EXEpid process 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 5060 Setup.exe 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
explorer.exepid process 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe 4348 explorer.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
SearchUI.exeexplorer.exeMicrosoftEdge.exeMicrosoftEdgeCP.exendp48-web.exeNOTEPAD.EXESetup.exepid process 4388 SearchUI.exe 4348 explorer.exe 4648 MicrosoftEdge.exe 396 MicrosoftEdgeCP.exe 396 MicrosoftEdgeCP.exe 4252 ndp48-web.exe 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 3556 NOTEPAD.EXE 5060 Setup.exe 5060 Setup.exe 5060 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Convert_mp4_to_mkv.execmd.exeMicrosoftEdgeCP.exebrowser_broker.exendp48-web.exeWindows_Mania_WannaCry_Removal.exedescription pid process target process PID 572 wrote to memory of 1604 572 Convert_mp4_to_mkv.exe cmd.exe PID 572 wrote to memory of 1604 572 Convert_mp4_to_mkv.exe cmd.exe PID 1604 wrote to memory of 4812 1604 cmd.exe MBR.exe PID 1604 wrote to memory of 4812 1604 cmd.exe MBR.exe PID 1604 wrote to memory of 4880 1604 cmd.exe reg.exe PID 1604 wrote to memory of 4880 1604 cmd.exe reg.exe PID 1604 wrote to memory of 5092 1604 cmd.exe reg.exe PID 1604 wrote to memory of 5092 1604 cmd.exe reg.exe PID 1604 wrote to memory of 1928 1604 cmd.exe reg.exe PID 1604 wrote to memory of 1928 1604 cmd.exe reg.exe PID 1604 wrote to memory of 304 1604 cmd.exe reg.exe PID 1604 wrote to memory of 304 1604 cmd.exe reg.exe PID 1604 wrote to memory of 5108 1604 cmd.exe reg.exe PID 1604 wrote to memory of 5108 1604 cmd.exe reg.exe PID 1604 wrote to memory of 4240 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 4240 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 4348 1604 cmd.exe explorer.exe PID 1604 wrote to memory of 4348 1604 cmd.exe explorer.exe PID 1604 wrote to memory of 4092 1604 cmd.exe Windows_Mania_WannaCry_Removal.exe PID 1604 wrote to memory of 4092 1604 cmd.exe Windows_Mania_WannaCry_Removal.exe PID 1604 wrote to memory of 1528 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1528 1604 cmd.exe PING.EXE PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 640 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 640 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 640 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 640 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 640 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 640 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 3320 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 164 wrote to memory of 4252 164 browser_broker.exe ndp48-web.exe PID 164 wrote to memory of 4252 164 browser_broker.exe ndp48-web.exe PID 164 wrote to memory of 4252 164 browser_broker.exe ndp48-web.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 396 wrote to memory of 2968 396 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4252 wrote to memory of 5060 4252 ndp48-web.exe Setup.exe PID 4252 wrote to memory of 5060 4252 ndp48-web.exe Setup.exe PID 4252 wrote to memory of 5060 4252 ndp48-web.exe Setup.exe PID 4092 wrote to memory of 1356 4092 Windows_Mania_WannaCry_Removal.exe Windows Defender.exe PID 4092 wrote to memory of 1356 4092 Windows_Mania_WannaCry_Removal.exe Windows Defender.exe PID 1604 wrote to memory of 2824 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 2824 1604 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8A91.tmp\8A92.tmp\8A93.bat C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\MBR.exeMBR.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "shutdownwithoutlogon" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\Windows_Mania_WannaCry_Removal.exeWindows_Mania_WannaCry_Removal.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exe"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt5⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 703⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /f /im notepad.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\SystemBlocker_Interface.exeSystemBlocker_Interface.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A91.tmp\voice.vbs"3⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ndp48-web.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ndp48-web.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\f2e612232db2f41856bc40\Setup.exeC:\f2e612232db2f41856bc40\\Setup.exe /x86 /x64 /web3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\f2e612232db2f41856bc40\SetupUtility.exeSetupUtility.exe /aupause4⤵
- Executes dropped EXE
-
C:\f2e612232db2f41856bc40\SetupUtility.exeSetupUtility.exe /screboot4⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ndp48-web.exeFilesize
1.4MB
MD534a5c76979563918b953e66e0d39c7ef
SHA14181398aa1fd5190155ac3a388434e5f7ea0b667
SHA2560bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
SHA512642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ndp48-web.exeFilesize
1.4MB
MD534a5c76979563918b953e66e0d39c7ef
SHA14181398aa1fd5190155ac3a388434e5f7ea0b667
SHA2560bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
SHA512642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ndp48-web.exe.3hzw492.partialFilesize
1.4MB
MD534a5c76979563918b953e66e0d39c7ef
SHA14181398aa1fd5190155ac3a388434e5f7ea0b667
SHA2560bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
SHA512642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5AY1UXV5\RE1Mu3b[1].pngFilesize
3KB
MD59f14c20150a003d7ce4de57c298f0fba
SHA1daa53cf17cc45878a1b153f3c3bf47dc9669d78f
SHA256112fec798b78aa02e102a724b5cb1990c0f909bc1d8b7b1fa256eab41bbc0960
SHA512d4f6e49c854e15fe48d6a1f1a03fda93218ab8fcdb2c443668e7df478830831acc2b41daefc25ed38fcc8d96c4401377374fed35c36a5017a11e63c8dae5c487
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5AY1UXV5\alert-info[1].svgFilesize
726B
MD5c7db49644f6bf1f50b3190ffba0516ed
SHA15bb312a0b6357ccb7e93158ac0f97b4e249e4696
SHA2562d891fb5984d5f421055da7f5d7e4be525df4c973fdc4366057bc9dfd82ce281
SHA5129b7f127443d517223a2a2cf6131a777f56aae3cd21dbcc1e87d847a0ad42e8c05a7f13347fec6d4df0582d486a57a9dc0d8121e6ca38371549f53e396cf6463a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5AY1UXV5\bootstrap-custom.min[1].cssFilesize
227KB
MD51ec0a74bd7ac4266778655ee292ae367
SHA1cae69771c4a28ac7fcecda2f27fac358011c1b57
SHA2565b487f577f91a21990fed3720bfcb93ad9cae0f386d712f0abdc1a3da695e528
SHA512180f72baefe3fe26d54dc385e5a0f9d42cc7320edfd3191da4850e96ffaff418329d9b851bf31dbfe50caa3d4ef90da1c89c9e34237088fea31859659b9952aa
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5AY1UXV5\open-sans-v34-latin-regular[1].woff2Filesize
16KB
MD5e43b535855a4ae53bd5b07a6eeb3bf67
SHA16507312d9491156036316484bf8dc41e8b52ddd9
SHA256b34551ae25916c460423b82beb8e0675b27f76a9a2908f18286260fbd6de6681
SHA512955a4c3ea5df9d2255defc2c40555ac62eeafcc81f6fa688ba5e11a252b3ed59b4275e3e9a72c3f58e66be3a4d0e9952638932fa29eb9075463537910a8e0ce6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5AY1UXV5\override[1].cssFilesize
1KB
MD5a570448f8e33150f5737b9a57b6d889a
SHA1860949a95b7598b394aa255fe06f530c3da24e4e
SHA2560bd288d5397a69ead391875b422bf2cbdcc4f795d64aa2f780aff45768d78248
SHA512217f971a8012de8fe170b4a20821a52fa198447fa582b82cf221f4d73e902c7e3aa1022cb0b209b6679c2eae0f10469a149f510a6c2132c987f46214b1e2bbbc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\749M7VRM\37-8473b9[1].jsFilesize
133KB
MD5d8b85b1b9a54c532f41ee3ad758450a6
SHA18311e13eb390700f93a0c3ee90bc617e0ed4301d
SHA256f1464d6010ed2930cf906e7e4573940b4b247929c847e81d0fe866ecc4158d4f
SHA5124ebdbd913f6eaacfb8e4086fc835a5139993659d53d181d25e18bc43f552a6abc06d7521eadf88926c892a49a6075d39e28bdd11438107aec6dda4a4988cc711
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\749M7VRM\cookie-consent.min[1].jsFilesize
956B
MD58e43b322c03693474b06d839837d4fa1
SHA1c42c6458fa02771f4a0fc962bfb3cc14311e7638
SHA256ea6c90c5174a8d235337db610bc3c84228c2e9c4a39b16701210fc375e82a18a
SHA5126c3cce5847f2f460cfb812b484880ca583d42d9242ae5b3a1440daf7e0dca557b56c57edc460b4cf58e168f400dbfc0de164c2a846266dc61fd7db3cfd413174
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\749M7VRM\general.min[1].jsFilesize
172KB
MD5c09f5d0b66835ebfe3a3a40be537f834
SHA1612de9032d53362206ab56c04cb0ab2608e3b19c
SHA25624ce903cdbfd82e0b4ad4564a341fc49d6458179820f93cc965ffb02963580db
SHA512081e09878395ea203eddd31e6ec577814081cdeb1a801c5d0793c3336284b861f4778786bbebfdf7e1970a25aba931320c870d6444115e21865f27463b8cc0b6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\749M7VRM\main.min[1].jsFilesize
28KB
MD5f65baf0aeb4e642925472561614bb06b
SHA179a56ef1313be37031d5add7d5267dc00ddcdd5f
SHA256d2ba461795456e22e552fa372bc17d8c70eeba511d0df6c96bacc732c725941a
SHA51266fc474bdd4e65d88767ad7a416bb6c34c576529d85b059422a93415b345b8eb85240098c598ac8f04457e7d2219297533efda758a20fb9d2025aeb6941cfc9c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\749M7VRM\mwfmdl2-v3.54[1].woffFilesize
25KB
MD5d0263dc03be4c393a90bda733c57d6db
SHA18a032b6deab53a33234c735133b48518f8643b92
SHA25622b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12
SHA5129511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LI4HVKP2\analytics.min[1].jsFilesize
2KB
MD58ecefb1d281a6656cbfc10187c34dc98
SHA18f22955b673af83115a9635b22e5174fa166657a
SHA256043815581e5875956e38c3277443a1b0f68432f97878dcd72f232974fd6e5ec1
SHA512909952271cdfec0e6259048b6e61a04bc79a2fa4798fbb6f0c06336e1dae3558f437151b14f0a748b2f3e70a41fcbf740cdc5a1f6a7619ef05f106e690aeaeaa
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LI4HVKP2\culture-selector.min[1].jsFilesize
302B
MD5e886b9422ab1c9a296c220de289971ab
SHA1457b23822d9c94d763c98b681afa778b1fb2c874
SHA256a9c2b239f8f3164d84f6bec2ed1f04f84b257b516abfb791373658300e4f2ee7
SHA512a56b6e665783e4a6769bdd1a19c732ee3e6d9f1be010b6ab5cc4a9b040eec3be34acd8ae6322c49318e438b03ff7e1712c3a577049a01dd73a5afa0024f585dd
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LI4HVKP2\dotnet-framework-runtime[1].svgFilesize
42KB
MD55aaa8c37cd59979b920cd21c4a50a38d
SHA10ee61e3b2d58513b92cf4c6b5114c1beb55539e7
SHA256db6c6f42e1d56092fb2c3d317968077cb29435139274faefbf4ab7681955bec6
SHA5120fb4c45db9f29963fce195e79b4e9963e57a50ef0fcab74466d6034834e0099f1f344a8569973d4c1ece05d9b70b5938b42ead4fabaa08de7d24c911df28c235
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LI4HVKP2\dotnetmdl2-icons-061622[1].woffFilesize
13KB
MD569bd98e83eaa70274d2fcff8d71ed013
SHA1c611bd891a63f788c1dd20e686ba40c44a4b6e79
SHA25624cd5530dc798f9b08f7e3e48c8688b9324fa8edfc8aea24d4109fedcc6bc7bc
SHA512a5b8429a529aa32bfe2b96d408aad99f2771d387fb45fc18a5bead5df0f6134ba9e86d01923e5745505288aaa31b4276a840d88d943d3a6b452f51b94d180551
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LI4HVKP2\ndp48-web[1].exeFilesize
272KB
MD5dbb4f20e5ff70e3e8107d2bd57bb6ae8
SHA15b9476f8f94f8c2db75bf67ddc53046946dd940e
SHA256a85bee7672e17ae86a2b27c615c47af918af92d9cf0d7675ae64f48b5bc9c3cd
SHA512f4cdf6fddf1007a695f76115bc68b47f5365772a02d6ac5512d0145f9178c1ebeef168a0341b5e9c7cb85eb6e303a978410827b7db12aad3f485a399844daf89
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LI4HVKP2\open-sans-v34-latin-600[1].woff2Filesize
16KB
MD5603c99275486a11982874425a0bc0dd1
SHA1ffeb62d105d2893d323574407b459fbae8cc90a6
SHA2564ffc35ac4d5e3f1546a4c1a879f425f090ff3336e0fce31a39ae4973b5e8c127
SHA512662dc53798ccda65ee972a1bb52959ca5f4c45066c1d500c2476c50ec537cb90a42d474d7dde2bec1ea8c312cc4a46e1d91ffb610130c2dc7914b65aef8a2615
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\ai.2.min[1].jsFilesize
117KB
MD5f63d62b7f7a371f237e1c4d5d55b82cc
SHA1fe5bde41271fa0c3b63c13c6ce823333500e91ac
SHA256ac4f3a99557d9c17b6ded0c6d4f0b267f4879cde9baec07a83910ab8c7059f77
SHA5129657d9f24a2dad3e0617ac323170a940fae7a85028d268b3d1710b6a7ff91fdb136c85b421cccfcc943ea235cff3201dd0e31e908d9e1f1ba4064849da089ddf
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\cda-tracker.min[1].jsFilesize
762B
MD5dac957d8b23d6c49aa5e917f5c2505a0
SHA149bb19db449215dde7384578684b1704559f95e2
SHA25604e0ac55a31e7481d75fc6a8f4198473c477c3620aa84051c39f5678b1e7694e
SHA512b55b5d144e94b786ada89dedf1f617d5b47fe0071b857e56e12bf9e19a083ecd3375711b73029270332104e1eaca41cba364aa270fb9586466930b2ba10efe9a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\ef-a24652[1].cssFilesize
166KB
MD53bce25f9ec586670eb7c3a14714b59f5
SHA11e2fa043bd39126cc8aa998365d804552d9f00ce
SHA2564515475065d4402b18e5811b275be596230a83379aefb1b7d19d0db93b5c53a4
SHA5120d1333eacc421ab6c91bf4fd91398075bc2a21c346dd09d971a746859b969ee5179d62adeb15fca1c872b79c1e7efa4a7454c025870b9bb053d6974fc0e74c6c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\ms.analytics-web-3.min[1].jsFilesize
136KB
MD5c9d788ec9041717cdf9bbfbba4d3f395
SHA15eaca142c7ac5bb18fdb894d400bc99f640a6a09
SHA256581e167dd3aa1f6bff67e7cbf1bed83dfa10ec04ad2989976f118dd5724de5a0
SHA512cb8154674030b3aa033d2aaf432c30a2f96e21f4b270810c72e0300f74abb12369cc126ec7b5f0c2cccc8dbaeabd4966703ef446460a114907f86abdc460f0c5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\open-sans-v34-latin-700[1].woff2Filesize
15KB
MD5e45478d4d6f15dafda1f25d9e0fb5fa1
SHA152cb490cd0ee4442ede034085cda9652b206f91c
SHA256d1a17abb1a999842fe425e1a4ace9d90f9c18f3595c21a63d89f0611b90cfd72
SHA5122ac423249ec837efa35b29705f55a326dee83f727e867269b86005cce144ca8d435f7412bb0bc9babdb9ae17419e4a0314b2923bee6a5acc96c9909e9eb48645
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\space-grotesk-v12-latin-700[1].woff2Filesize
11KB
MD5514360ed1b78e71aabe58ecd08f36706
SHA11062c179ea2f74b5db67f9d7822c556ed25637dd
SHA256751851e72654508ca07678c61bdacd91b772d725f531dd8a6f62e6f941e11ecc
SHA5121827c1a0189570e775bdcd07657e720e0bb27c2157ff46307cba551eaa16822645e388321081eb13cae7f4d024038b5279cff897a4c86c0ecd4428e60a5dac5e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O27VHVBO\wcp-consent[1].jsFilesize
272KB
MD55f524e20ce61f542125454baf867c47b
SHA17e9834fd30dcfd27532ce79165344a438c31d78b
SHA256c688d3f2135b6b51617a306a0b1a665324402a00a6bceba475881af281503ad9
SHA512224a6e2961c75be0236140fed3606507bca49eb10cb13f7df2bcfbb3b12ebeced7107de7aa8b2b2bb3fc2aa07cd4f057739735c040ef908381be5bc86e0479b2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\0GH4L8VB.cookieFilesize
248B
MD57907b99d52ab72f563f77a51124ebfb7
SHA1dae31007b655f09a01d1a40ba1d7cef8338f3a53
SHA25623a65b726e9bed76ee9739ca4da2abb81bc4dee074a465708c0e07a665d13ca2
SHA512c196434a63faec675b5b556918ce1af5baa0c5de3e0878376e20c184af08a0cb190757f21e4e3dbb48f2e3bb81bcc302a5c7353d8f49fec206c02a0be2b30b12
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\4DMUU31C.cookieFilesize
280B
MD5065b12fbb85c32bab5b68fd71945bba6
SHA183e358dd562b64e3a6ab6a6cd5b78abc9b07812a
SHA256b6c56eb2c2e990d6baa3b9d184d6c888a8aa3c9d1ea70e0e4b4119292f05c020
SHA5129170e7a0adf3181d64d807a1688ba99e9ebd79597b61a00a3b272bc630c953792a95888a489aa3dad8634945725b703fc29138aa532d8a3b6320ea155d04df4f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\GKB1D0OV.cookieFilesize
563B
MD5a94f914098c73cefbb3e6235ae86b6a4
SHA18052aa9baea5bbb4b066e43f0e4af580b7db83bd
SHA256e6d842d56562c35e2e4ccd6c065984353c27c4a3f17863712ae28216534f44c1
SHA51256db512981117189ca60131e9f6ad6f09bc8aad1409a272bffeff8988995a3aa33c2689390a4d81dfd6dac171bd4f836897cca405b961f959cb99b41a03e9c18
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\GNIUG2M3.cookieFilesize
436B
MD537151cec8ff3978480365da4a2d48d87
SHA159058bcacf4401cf311622dc9ba35d01e643fbcf
SHA256b5cea806574b54209500e5761f4dbf0aaf7d1be3692569500372e1000bc34417
SHA512ff95281f1e9521d042eb4d9ecbd53fe79963d0f4ce69bfb4cb44c2396b8097950c6fc150b52b04db5a58dca02cfb34f146b31198e5d05642f2d7b8c7c7bd27ff
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\JE3VHC65.cookieFilesize
147B
MD5a3eed9dd3fb493fc6cc028af8f029807
SHA1af22dcfaeaafaccdba4b97b39c65657995aed420
SHA256884c7f6675a8c301402128630a56367feaa556adef021b8201390acbbac9cd10
SHA5128903ca27c0082287151cab01b58895316c2484c6c96e23095a3ab2ae9beabace87e7cd540c01de613df3627a36e0abee909fedb40a1f8fbc28c11c4d70d5badc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\UZ9TB3KI.cookieFilesize
436B
MD5726efa64b8d128e6bcd7f59702429ae1
SHA11b333d7df08f3c889694e50ed94571acea47b829
SHA256e51d371d26f07c9a15fcefd12024f14391fe0dd48599763d24b775310a3944bb
SHA51261fa8c711c18f1b5f4bdf1dd8ff93ffa8ecc814be90fc8a1ebbd53567be0ce68e7c06e27e6a914fa10e21b2ff15b9147b2c6f14d58d5f240f8389156cc13e1ab
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VR8QB6MU.cookieFilesize
563B
MD5e64c26c22e357e3d6a43e312aec086e8
SHA1990e4df2d014540146927ec5fa578c9240b290b3
SHA2560d78d5e656d198df8a9d86e5f406a587cc4c9433165f3a619062aa68568a584a
SHA51266bd92e7a2f90944b8a7ebd7c83e1121273cbd0ca8621e5a88649ec191fef8b7c09f5dad19251438866d10b6b6b7e6fdeadf961f138a6fa2cea3e041f3bc7ba1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\WQ2SKQ3A.cookieFilesize
280B
MD5dfa88e80ecb200a32e68b4c69a6f3e7f
SHA187621e8a47988d6f7c43fdff731167c9ea8e0988
SHA256c54f8da79c82cdcd8bc8de12041f3a5c013f0777b369f5e4d60563a0da2d7483
SHA51235585a2bcce1a37df10f453dd6fd93af2718798a975fe1557167b79c20718d036fd0dd5c4f8b1dfc8898800916e6faf2a8c22a63e43caaf5f02705bb69e01910
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD5a075a2530ed0f001bdcef7f794aab65b
SHA13be975b0765a1ec8c2b8e3478840543016c713e4
SHA256d7c123d3a346894bea3036da303d13c2192234b991635e45fb754188e0d131ef
SHA512ca0d56c21d291d349266b27074089d66813617422acbbab0656fa1a756c2deb7503f2a4e290a7f996352faf915882a87eb2f233bed508c260eadccc95ba2070b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD50c37d1f452039569064b4a3aced66d1e
SHA1d4be36bfd07dfb86c528fd6894b142b5fa8b01a1
SHA2563272773c8f4601728f560694854e566f7f69ef7abba880c0cfd4466e4fea60fa
SHA51234609c3f456f6c300061a37d87fc2aa62b65cfd23630b7c34c8a7b27553f3436eeb5b3ca23f81a681d0215614aa89b8da52687b4d607fe445aac49caa78ba97a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD50c37d1f452039569064b4a3aced66d1e
SHA1d4be36bfd07dfb86c528fd6894b142b5fa8b01a1
SHA2563272773c8f4601728f560694854e566f7f69ef7abba880c0cfd4466e4fea60fa
SHA51234609c3f456f6c300061a37d87fc2aa62b65cfd23630b7c34c8a7b27553f3436eeb5b3ca23f81a681d0215614aa89b8da52687b4d607fe445aac49caa78ba97a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD50c37d1f452039569064b4a3aced66d1e
SHA1d4be36bfd07dfb86c528fd6894b142b5fa8b01a1
SHA2563272773c8f4601728f560694854e566f7f69ef7abba880c0cfd4466e4fea60fa
SHA51234609c3f456f6c300061a37d87fc2aa62b65cfd23630b7c34c8a7b27553f3436eeb5b3ca23f81a681d0215614aa89b8da52687b4d607fe445aac49caa78ba97a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
260B
MD57ddf2e821b3345d1bc4e7f01aea26c5b
SHA191b38a4a6e07fb7735ac926a17223b1906162f6d
SHA256bf8d7dfbd3467ff81f5c04f022ee0a4d96907a0147c0294dea82811518f6e498
SHA512eb96d7a03a73bd0ea9cd9d9a59131bd532cb0746b18ef2a4289b8f814ac10fa1bb6ed53ff9e057b737af664c00afb5896b82f83a573db56a0655348d810b87ef
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
260B
MD57ddf2e821b3345d1bc4e7f01aea26c5b
SHA191b38a4a6e07fb7735ac926a17223b1906162f6d
SHA256bf8d7dfbd3467ff81f5c04f022ee0a4d96907a0147c0294dea82811518f6e498
SHA512eb96d7a03a73bd0ea9cd9d9a59131bd532cb0746b18ef2a4289b8f814ac10fa1bb6ed53ff9e057b737af664c00afb5896b82f83a573db56a0655348d810b87ef
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD50c37d1f452039569064b4a3aced66d1e
SHA1d4be36bfd07dfb86c528fd6894b142b5fa8b01a1
SHA2563272773c8f4601728f560694854e566f7f69ef7abba880c0cfd4466e4fea60fa
SHA51234609c3f456f6c300061a37d87fc2aa62b65cfd23630b7c34c8a7b27553f3436eeb5b3ca23f81a681d0215614aa89b8da52687b4d607fe445aac49caa78ba97a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD50c37d1f452039569064b4a3aced66d1e
SHA1d4be36bfd07dfb86c528fd6894b142b5fa8b01a1
SHA2563272773c8f4601728f560694854e566f7f69ef7abba880c0cfd4466e4fea60fa
SHA51234609c3f456f6c300061a37d87fc2aa62b65cfd23630b7c34c8a7b27553f3436eeb5b3ca23f81a681d0215614aa89b8da52687b4d607fe445aac49caa78ba97a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\77EM575M\dotnet.microsoft[1].xmlFilesize
198B
MD50c37d1f452039569064b4a3aced66d1e
SHA1d4be36bfd07dfb86c528fd6894b142b5fa8b01a1
SHA2563272773c8f4601728f560694854e566f7f69ef7abba880c0cfd4466e4fea60fa
SHA51234609c3f456f6c300061a37d87fc2aa62b65cfd23630b7c34c8a7b27553f3436eeb5b3ca23f81a681d0215614aa89b8da52687b4d607fe445aac49caa78ba97a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5d8605533587058a9394d0c1f6228f808
SHA105d55218be3e8be27f6c3beb4bde642046cbaa64
SHA2569a2952b7e318385b2f9bb3a653e5ada207fa93d812f4fe014c01f92b45cc9e03
SHA5123f91cee3f69beb0137260694de2e5aa3f4fa63ce23f3eb24d920cdf0910ace3bb645373d41c3101951eca1d4f14c18e2c0ff9fee24da4cc5bf7616583e886eb2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD5675edb826016eca7c745972b7669a1b2
SHA19f7326798f903f82a817f7fba24e349f6f9b28dd
SHA256e3456a883a5074dab311da0367ced90c03ff459a31e3c1a4a9b4b53c211c28d8
SHA51224758aa193bb768f917bff714f9b5af8d2777ccb0292001f55f494eaea476030ca1c062c16a3ad3e0b0956cf10faac6ba463cecc08ee942cc6ed6a7fbc1a414a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\8A92.tmp\8A93.batFilesize
845B
MD50785859d5f83bf5807e578547200037e
SHA11138b2cce9781ff7f21581106e5618a4322e04a4
SHA2566f9bd0980bc9df446a12d92013a9fbe33ff79cf35b27809418c5c16344b2fdad
SHA51282c53ff7682b615844fe164a6c07f16b60a743e2b140ef3fd3f3094a22ea7a9974933cb6b8077d68348b1705ac87280709792f6fd5faa7bed9da632452525729
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\MBR.exeFilesize
9KB
MD53e3286fdcbe16763fe0624d83c075e0e
SHA1e9cab7c4be74edefde1a86b95b155d8507b1bb76
SHA256c3fac331c62e1838ccb2cdf958c7b3d437415d1650c919235adf437bd756f40f
SHA512a396bb94eac41ed9d97d06208d28dc64757e7d3ec4e95a0434b922de6742fa65e136a3e316a8566c6465558aa4286face63bc40def41aebd7b8c920ad2948357
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\MBR.exeFilesize
9KB
MD53e3286fdcbe16763fe0624d83c075e0e
SHA1e9cab7c4be74edefde1a86b95b155d8507b1bb76
SHA256c3fac331c62e1838ccb2cdf958c7b3d437415d1650c919235adf437bd756f40f
SHA512a396bb94eac41ed9d97d06208d28dc64757e7d3ec4e95a0434b922de6742fa65e136a3e316a8566c6465558aa4286face63bc40def41aebd7b8c920ad2948357
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\MBR.exe.configFilesize
161B
MD5c16b0746faa39818049fe38709a82c62
SHA13fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\Windows_Mania_WannaCry_Removal.exeFilesize
381KB
MD5690fe7edb2e1814ab9ac0f72d71cfef1
SHA12ce66689bc79ad64033b611e607e7679be6a1231
SHA256a01d3c8333bbf5e19b1b8ec5729599d7e876c2683042213e538566f282f088e7
SHA512796501da715155e29df0168e42b2ce7dba41b8e5631417004bcdb9c2c6e0cffd18b0aa050047cd3d60ddb77c4a3e39baacfd8dc09568eb5e01052b0c1ed465b2
-
C:\Users\Admin\AppData\Local\Temp\8A91.tmp\Windows_Mania_WannaCry_Removal.exeFilesize
381KB
MD5690fe7edb2e1814ab9ac0f72d71cfef1
SHA12ce66689bc79ad64033b611e607e7679be6a1231
SHA256a01d3c8333bbf5e19b1b8ec5729599d7e876c2683042213e538566f282f088e7
SHA512796501da715155e29df0168e42b2ce7dba41b8e5631417004bcdb9c2c6e0cffd18b0aa050047cd3d60ddb77c4a3e39baacfd8dc09568eb5e01052b0c1ed465b2
-
C:\f2e612232db2f41856bc40\1025\LocalizedData.xmlFilesize
80KB
MD5d8165beb3b8433921d0d5611b85bfa35
SHA1bef57e3511e18170ebbc9ae3aefd73ce3f50f8f4
SHA256b092668e0825f7f498acdc1bf10e1d2cb6ca99497389142cf9af815f25a4b712
SHA5129fa221f549b4e660c4f40c7ab0e483e3d9a9204248da51675058f32f4f56667c782667295decbb441a581f582a099fe34c6cc569d0c4ec13e85c680abf5870b0
-
C:\f2e612232db2f41856bc40\1033\LocalizedData.xmlFilesize
83KB
MD547703bed025228689a1032edae56b4c4
SHA1a2aba33c7e8915025251574c81fe2e5ac6bc0893
SHA25605fc9352b918a710d51f68873fc522528265455b77014e8b0cd66c5e7aa71dc3
SHA5129d6eda9fc3be6116371d1b86b54b8b65ccd58c182105e0954870f75e2a6f4d7e8fc84462bfd3584175c0f849066e47d82cd18ae3bf1671e60cc237347b7cc00d
-
C:\f2e612232db2f41856bc40\DHTMLHeader.htmlFilesize
15KB
MD5cd131d41791a543cc6f6ed1ea5bd257c
SHA1f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a
-
C:\f2e612232db2f41856bc40\ParameterInfo.xmlFilesize
2.7MB
MD58e8c25b11ffe1d7bc70e2a31600eda7a
SHA11452b55ef634e4e5b002ce302702d0c50487ff6c
SHA256a2bec4e2afd573422045c8c2f461166508535e67abd32942d4d6fbed77b9faf8
SHA5124a622a5d3748ce412bf529b11d305a5a06dd381a9b972fa08d0528dc738d50a979307ce6dfb14c9b481952672ca9c3a1be43669796e5e178b23436b84bd0542a
-
C:\f2e612232db2f41856bc40\Setup.exeFilesize
119KB
MD5057ce4fb9c8e829af369afbc5c4dfd41
SHA1094f9d5f107939250f03253cf6bb3a93ae5b2a10
SHA25660dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b
SHA512cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52
-
C:\f2e612232db2f41856bc40\Setup.exeFilesize
119KB
MD5057ce4fb9c8e829af369afbc5c4dfd41
SHA1094f9d5f107939250f03253cf6bb3a93ae5b2a10
SHA25660dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b
SHA512cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52
-
C:\f2e612232db2f41856bc40\SetupEngine.dllFilesize
893KB
MD5f9618535477ddfef9fe8b531a44be1a3
SHA1c137a4c7994032a6410ef0a7e6f0f3c5acb68e03
SHA256236bf2b5cf6014b8ee22484afe172ace512cc99dba85080b082d47e9e189ea5c
SHA512b85ae1a9cc334e9352c51aa94b2c74c6c067957e0e6021f7309a1c194fc64c0c50bb5efeaef7030e8689d75a22798f74cf719366a2fdcce26e23692510bfe064
-
C:\f2e612232db2f41856bc40\SplashScreen.bmpFilesize
117KB
MD5bc32088bfaa1c76ba4b56639a2dec592
SHA184b47aa37bda0f4cd196bd5f4bd6926a594c5f82
SHA256b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7
SHA5124708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830
-
C:\f2e612232db2f41856bc40\UiInfo.xmlFilesize
63KB
MD5c99059acb88a8b651d7ab25e4047a52d
SHA145114125699fa472d54bc4c45c881667c117e5d4
SHA256b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d
SHA512b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b
-
C:\f2e612232db2f41856bc40\sqmapi.dllFilesize
223KB
MD50c0e41efeec8e4e78b43d7812857269a
SHA1846033946013f959e29cd27ff3f0eaa17cb9e33f
SHA256048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c
SHA512e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28
-
\f2e612232db2f41856bc40\SetupEngine.dllFilesize
893KB
MD5f9618535477ddfef9fe8b531a44be1a3
SHA1c137a4c7994032a6410ef0a7e6f0f3c5acb68e03
SHA256236bf2b5cf6014b8ee22484afe172ace512cc99dba85080b082d47e9e189ea5c
SHA512b85ae1a9cc334e9352c51aa94b2c74c6c067957e0e6021f7309a1c194fc64c0c50bb5efeaef7030e8689d75a22798f74cf719366a2fdcce26e23692510bfe064
-
\f2e612232db2f41856bc40\sqmapi.dllFilesize
223KB
MD50c0e41efeec8e4e78b43d7812857269a
SHA1846033946013f959e29cd27ff3f0eaa17cb9e33f
SHA256048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c
SHA512e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28
-
memory/304-130-0x0000000000000000-mapping.dmp
-
memory/344-674-0x0000000000000000-mapping.dmp
-
memory/572-120-0x0000000140000000-0x0000000140083000-memory.dmpFilesize
524KB
-
memory/572-145-0x0000000140000000-0x0000000140083000-memory.dmpFilesize
524KB
-
memory/1356-619-0x0000000000000000-mapping.dmp
-
memory/1528-138-0x0000000000000000-mapping.dmp
-
memory/1536-667-0x0000000000000000-mapping.dmp
-
memory/1604-121-0x0000000000000000-mapping.dmp
-
memory/1928-129-0x0000000000000000-mapping.dmp
-
memory/2824-634-0x0000000000000000-mapping.dmp
-
memory/2888-696-0x0000000000000000-mapping.dmp
-
memory/2968-530-0x000001E19ED20000-0x000001E19ED22000-memory.dmpFilesize
8KB
-
memory/3320-159-0x00000247118B0000-0x00000247118B2000-memory.dmpFilesize
8KB
-
memory/3320-151-0x0000024711880000-0x0000024711882000-memory.dmpFilesize
8KB
-
memory/3532-636-0x0000000000000000-mapping.dmp
-
memory/3556-681-0x0000000000000000-mapping.dmp
-
memory/3684-676-0x0000000000000000-mapping.dmp
-
memory/3684-635-0x0000000000000000-mapping.dmp
-
memory/3956-678-0x0000000000000000-mapping.dmp
-
memory/4048-651-0x0000000000000000-mapping.dmp
-
memory/4092-134-0x0000000000000000-mapping.dmp
-
memory/4092-137-0x00000000001F0000-0x0000000000254000-memory.dmpFilesize
400KB
-
memory/4240-132-0x0000000000000000-mapping.dmp
-
memory/4252-485-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-529-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-495-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-497-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-494-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-496-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-498-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-499-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-500-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-501-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-502-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-503-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-504-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-505-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-506-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-507-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-508-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-509-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-510-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-511-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-512-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-513-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-514-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-515-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-516-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-517-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-518-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-520-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-521-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-522-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-523-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-519-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-524-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-526-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-525-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-527-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-528-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-493-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-490-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-492-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-491-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-489-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-488-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-487-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-486-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-473-0x0000000000000000-mapping.dmp
-
memory/4252-484-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-483-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-481-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-480-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-479-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-478-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-476-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-477-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4252-475-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/4340-677-0x0000000000000000-mapping.dmp
-
memory/4348-133-0x0000000000000000-mapping.dmp
-
memory/4456-671-0x0000000000000000-mapping.dmp
-
memory/4488-675-0x0000000000000000-mapping.dmp
-
memory/4648-143-0x0000018E88C20000-0x0000018E88C30000-memory.dmpFilesize
64KB
-
memory/4648-144-0x0000018E88D20000-0x0000018E88D30000-memory.dmpFilesize
64KB
-
memory/4764-679-0x0000000000000000-mapping.dmp
-
memory/4812-123-0x0000000000000000-mapping.dmp
-
memory/4860-742-0x0000000000000000-mapping.dmp
-
memory/4880-127-0x0000000000000000-mapping.dmp
-
memory/5060-534-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/5060-533-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/5060-538-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/5060-535-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/5060-531-0x0000000000000000-mapping.dmp
-
memory/5060-536-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/5092-128-0x0000000000000000-mapping.dmp
-
memory/5108-131-0x0000000000000000-mapping.dmp