wannacry | hxxp://google[.]com

Analysis

max time kernel
486s
max time network
477s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 10:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\wannacry\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

wanncry.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\FormatExport.png.WNCRYT => C:\Users\Admin\Pictures\FormatExport.png.WNCRY	wanncry.exe
File opened for modification	C:\Users\Admin\Pictures\FormatExport.png.WNCRY	wanncry.exe
File created	C:\Users\Admin\Pictures\ConfirmMount.tif.WNCRYT	wanncry.exe
File renamed	C:\Users\Admin\Pictures\ConfirmMount.tif.WNCRYT => C:\Users\Admin\Pictures\ConfirmMount.tif.WNCRY	wanncry.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmMount.tif.WNCRY	wanncry.exe
File created	C:\Users\Admin\Pictures\FormatExport.png.WNCRYT	wanncry.exe

Drops startup file 2 IoCs

Processes:

wanncry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDE81.tmp	wanncry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDE98.tmp	wanncry.exe

Executes dropped EXE 23 IoCs

Processes:

wanncry.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exe

pid	process
1676	wanncry.exe
3836	taskdl.exe
1356	@WanaDecryptor@.exe
2700	@WanaDecryptor@.exe
4012	taskhsvc.exe
5116	taskdl.exe
2716	taskse.exe
5520	@WanaDecryptor@.exe
5808	taskdl.exe
3524	taskse.exe
4008	@WanaDecryptor@.exe
312	taskdl.exe
2716	taskse.exe
5144	@WanaDecryptor@.exe
5584	taskse.exe
5904	@WanaDecryptor@.exe
3348	taskdl.exe
4716	taskse.exe
1952	@WanaDecryptor@.exe
4144	taskdl.exe
4100	@WanaDecryptor@.exe
2656	taskse.exe
3540	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

4012 taskhsvc.exe
4012 taskhsvc.exe
4012 taskhsvc.exe
4012 taskhsvc.exe
4012 taskhsvc.exe
4012 taskhsvc.exe
4012 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1376 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe

pid	process
1376	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qpzmehtw499 = "\"C:\\Users\\Admin\\Downloads\\wannacry\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@WanaDecryptor@.exewanncry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	wanncry.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230328125932.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\11bbb46a-7b01-421c-b714-89a98b48d649.tmp	setup.exe

Drops file in Windows directory 4 IoCs

Processes:

wusa.exeLogonUI.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wusa.exe
File created	C:\Windows\rescache\_merged\2229298842\1818989006.pri	LogonUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 3 IoCs

Processes:

powershell.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

6128 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 464435.crdownload:SmartScreen msedge.exe

pid	process
6128	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 464435.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
3196	powershell.exe
3196	powershell.exe
1880	msedge.exe
1880	msedge.exe
860	msedge.exe
860	msedge.exe
664	identity_helper.exe
664	identity_helper.exe
5844	msedge.exe
5844	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
5304	msedge.exe
5304	msedge.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
4012	taskhsvc.exe
5360	msedge.exe
5360	msedge.exe
4812	msedge.exe
4812	msedge.exe
4188	identity_helper.exe
4188	identity_helper.exe
4836	msedge.exe
4836	msedge.exe
2420	msedge.exe
2420	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bootim.exe

pid process

2656 bootim.exe

pid	process
2656	bootim.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 50 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	process
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
4812	msedge.exe
4812	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeAUDIODG.EXE7zG.exetaskse.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exeSystemSettingsAdminFlows.exe

description	pid	process
Token: SeDebugPrivilege	3196	powershell.exe
Token: 33	6036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6036	AUDIODG.EXE
Token: SeRestorePrivilege	1496	7zG.exe
Token: 35	1496	7zG.exe
Token: SeSecurityPrivilege	1496	7zG.exe
Token: SeSecurityPrivilege	1496	7zG.exe
Token: SeTcbPrivilege	2716	taskse.exe
Token: SeTcbPrivilege	2716	taskse.exe
Token: SeIncreaseQuotaPrivilege	5496	WMIC.exe
Token: SeSecurityPrivilege	5496	WMIC.exe
Token: SeTakeOwnershipPrivilege	5496	WMIC.exe
Token: SeLoadDriverPrivilege	5496	WMIC.exe
Token: SeSystemProfilePrivilege	5496	WMIC.exe
Token: SeSystemtimePrivilege	5496	WMIC.exe
Token: SeProfSingleProcessPrivilege	5496	WMIC.exe
Token: SeIncBasePriorityPrivilege	5496	WMIC.exe
Token: SeCreatePagefilePrivilege	5496	WMIC.exe
Token: SeBackupPrivilege	5496	WMIC.exe
Token: SeRestorePrivilege	5496	WMIC.exe
Token: SeShutdownPrivilege	5496	WMIC.exe
Token: SeDebugPrivilege	5496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5496	WMIC.exe
Token: SeRemoteShutdownPrivilege	5496	WMIC.exe
Token: SeUndockPrivilege	5496	WMIC.exe
Token: SeManageVolumePrivilege	5496	WMIC.exe
Token: 33	5496	WMIC.exe
Token: 34	5496	WMIC.exe
Token: 35	5496	WMIC.exe
Token: 36	5496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5496	WMIC.exe
Token: SeSecurityPrivilege	5496	WMIC.exe
Token: SeTakeOwnershipPrivilege	5496	WMIC.exe
Token: SeLoadDriverPrivilege	5496	WMIC.exe
Token: SeSystemProfilePrivilege	5496	WMIC.exe
Token: SeSystemtimePrivilege	5496	WMIC.exe
Token: SeProfSingleProcessPrivilege	5496	WMIC.exe
Token: SeIncBasePriorityPrivilege	5496	WMIC.exe
Token: SeCreatePagefilePrivilege	5496	WMIC.exe
Token: SeBackupPrivilege	5496	WMIC.exe
Token: SeRestorePrivilege	5496	WMIC.exe
Token: SeShutdownPrivilege	5496	WMIC.exe
Token: SeDebugPrivilege	5496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5496	WMIC.exe
Token: SeRemoteShutdownPrivilege	5496	WMIC.exe
Token: SeUndockPrivilege	5496	WMIC.exe
Token: SeManageVolumePrivilege	5496	WMIC.exe
Token: 33	5496	WMIC.exe
Token: 34	5496	WMIC.exe
Token: 35	5496	WMIC.exe
Token: 36	5496	WMIC.exe
Token: SeBackupPrivilege	6032	vssvc.exe
Token: SeRestorePrivilege	6032	vssvc.exe
Token: SeAuditPrivilege	6032	vssvc.exe
Token: SeTcbPrivilege	3524	taskse.exe
Token: SeTcbPrivilege	3524	taskse.exe
Token: SeTcbPrivilege	2716	taskse.exe
Token: SeTcbPrivilege	2716	taskse.exe
Token: SeTcbPrivilege	5584	taskse.exe
Token: SeTcbPrivilege	5584	taskse.exe
Token: SeTcbPrivilege	4716	taskse.exe
Token: SeTcbPrivilege	4716	taskse.exe
Token: SeBackupPrivilege	948	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	948	SystemSettingsAdminFlows.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe7zG.exemsedge.exemsedge.exe@WanaDecryptor@.exe

pid	process
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe
1496	7zG.exe
860	msedge.exe
4812	msedge.exe
4812	msedge.exe
2420	msedge.exe
2420	msedge.exe
5520	@WanaDecryptor@.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeSystemSettingsAdminFlows.exe@WanaDecryptor@.exeLogonUI.exe

pid	process
1356	@WanaDecryptor@.exe
2700	@WanaDecryptor@.exe
2700	@WanaDecryptor@.exe
1356	@WanaDecryptor@.exe
5520	@WanaDecryptor@.exe
5520	@WanaDecryptor@.exe
4008	@WanaDecryptor@.exe
5144	@WanaDecryptor@.exe
5904	@WanaDecryptor@.exe
1952	@WanaDecryptor@.exe
948	SystemSettingsAdminFlows.exe
4100	@WanaDecryptor@.exe
5940	LogonUI.exe
5940	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 860 wrote to memory of 3356	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 3356	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1612	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1880	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1880	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4444	860	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4604 attrib.exe

pid	process
4604	attrib.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://google.com
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://google.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd7c7146f8,0x7ffd7c714708,0x7ffd7c714718
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7c5785460,0x7ff7c5785470,0x7ff7c5785480
3⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
2⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
2⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
2⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
2⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
2⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
2⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
2⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
2⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
2⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7076 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
2⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
2⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4932 /prefetch:8
2⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
2⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
2⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
2⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
2⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
2⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7817577278595988495,12050449381274051913,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
2⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5968

C:\Windows\system32\wusa.exe
"C:\Windows\system32\wusa.exe" "C:\Users\Admin\Downloads\windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu"
1⤵
- Drops file in Windows directory
PID:316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x350
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\wannacry\" -spe -an -ai#7zMap30687:78:7zEvent5575
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1496

C:\Users\Admin\Downloads\wannacry\wanncry.exe
"C:\Users\Admin\Downloads\wannacry\wanncry.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4604

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1376

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 141121680008641.bat
2⤵
PID:5368

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4976

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Users\Admin\Downloads\wannacry\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
PID:4836

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:5740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\Downloads\wannacry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\Downloads\wannacry\tasksche.exe\"" /f
2⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\Downloads\wannacry\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:6128

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd7c7146f8,0x7ffd7c714708,0x7ffd7c714718
4⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,18296481092387393716,2501820358182457625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,18296481092387393716,2501820358182457625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
4⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18296481092387393716,2501820358182457625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
4⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18296481092387393716,2501820358182457625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
4⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18296481092387393716,2501820358182457625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
4⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18296481092387393716,2501820358182457625,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
4⤵
PID:3656

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5808

C:\Users\Admin\Downloads\wannacry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:312

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Users\Admin\Downloads\wannacry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\Downloads\wannacry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5904

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3348

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Users\Admin\Downloads\wannacry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Users\Admin\Downloads\wannacry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Users\Admin\Downloads\wannacry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3540

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ProtectTest.ttc
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\LockDeny.mht
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd7c7146f8,0x7ffd7c714708,0x7ffd7c714718
2⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
2⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
2⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
2⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
2⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,4250112447949013273,4668895155638065402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@Please_Read_Me@.txt
1⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultdb31acffh3fe6h47d2ha652hddbb2166e4c6
1⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ffd7c7146f8,0x7ffd7c714708,0x7ffd7c714718
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13397794079972359264,4267458812536009126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13397794079972359264,4267458812536009126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13397794079972359264,4267458812536009126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
2⤵
PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396c055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5940

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@WanaDecryptor@.exe.lnk
Filesize
684B

MD5
c24a432b9bb87221b1d92f878eb64a24

SHA1
508899a709f71f997cdd73da5bcd8dcad60c06f5

SHA256
defc8a78b0f18296e496180f5ecafa94fd9dc9a0fc748c7cc3a063a5fde50394

SHA512
5b6fec1979c53b49cbe2ca3c76135fcca39fba39cb59f850a593131433eca657a62c32cbe28736ae2a4a8d44819d2eca07754030b769d7f56592be92b3ccef72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1b7af9cd-d5f3-4d36-aade-d456a901f07d.tmp
Filesize
13KB

MD5
da71d1cf2853138037d703c618521a0c

SHA1
35ced280fb67bff88aeae2682d95bcda68312da5

SHA256
bac806a2930716200ea579b5d651396190b2e844b154d3f8e8f4f46aad3a7181

SHA512
4832b29e878bbf19d5a62e76ce92506551251df20fbf1279a3ac208f48376140bc674805cb485b15bf68175df8fdc6521df9baefd646261dfa88032ec63ff551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
51f45e5218334be28303f404044f02fe

SHA1
e3d06720fe7b29f437ad82962be07fcc3ccea390

SHA256
377de9a936f9de7a5d62b07e657e72e87b83ebb4c706b1b3e7b16fb725b0399c

SHA512
52fdacecffc82d87fe1227933da14fe7e9a13ecf4f37f61360c03c259461e8601c2e7d6a484afa41e7591fe17522f99c2b2b40be215e0a540f3dc39892689733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ec9da63733ff28f6716ff07738d5d4e1

SHA1
4be60052bf44b1c4a66f39c32b4ceb443220a96b

SHA256
bf6f71f75fd88c2970dc8a6ab573309c5449683740dabb1229cc9a6b55383dd2

SHA512
642dbc99e89ec9dcae25532a9bc375b7b1209a671bbd60c9d03ff1e1c5a97e6c1aac2b9c26309e8a850a1961d0b8e4880699994182497dbbc5ac2a696c7aff57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c83529484724dc354817a91e787bd9ce

SHA1
5d2e37175c4917b9b264e474ef49eb466f07bab9

SHA256
8ab0f3b6f7d944cd86d27cc43d7a94c6d30decbb024be31c41de4cfaf25256fb

SHA512
497f6889380e6044e29829af6cce0f6a1872e525afb195cd9dd0a5ef8fd0ffcbe5afeae355a64828a54e3f8f4eed27f40791d1ab1f82687930c9072fe41a1ec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
14014f1f1fd5e6cd80aa00ff6229459f

SHA1
cb15ff6a2fa539e2453d5aa3b4db6b4404b4dcc4

SHA256
7a83e99011eafc78aa4e165bd316f07693f00edb77634ce136be0c9c27d17e73

SHA512
c26bb2ba040456bf3c729e5a70c3169d3f6ae8502a2db0f78935d324c62ce6dbf5ce36db4391e291c4c682355e9a480612b22c4e63b41de300abbe983256ae53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c92369d-d8b5-4fd1-83ae-954a6cc81214.tmp
Filesize
2KB

MD5
281ac984c567c61dd6b2a1a93faecda5

SHA1
b8c5d0d95b3c267bd4edfcdb5ebcc48c4151da62

SHA256
b71b80c211637e9571abd172f0e72c168cb3d60d244cc5d620c79dcc9e2a91ad

SHA512
7f00ccd0d054e8ea0272f648b8044a88935155d6540450e6b8cf1057cb6ed9114578e93db3bd320f0382b6140dfb31e2bf52afe3058a30a344f4300b7964a124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\33167822-ba90-40d3-94a4-a33221a18944.tmp
Filesize
3KB

MD5
9ce4ebe755b6eacf3c41b8d017e05452

SHA1
8ab66d346a94ab3bcf1ee2777e5be5b78eecac3e

SHA256
5acac3b1106ad4fabf0dec2cba0b907c70bbf2c4e2c79d6516f9d390f414e6b3

SHA512
6c787637b0cc188334df70b4dadcdb15e5de0c020a3f1abcecf3522932a89b23a953ca131a866f8bc43fcf5a4f677f4c588ca7e2e2ab1a6d2cd6910733f88c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6bf7419c-1de1-40db-ade1-dffaa050d41f.tmp
Filesize
7KB

MD5
45d9c403a3f7567c766cfb7b2be428d2

SHA1
8de7f27aeb3a43685581b536181ecf357f2cd38f

SHA256
84b024bc6edee88d236d595b8d3b5cca41ede839319de6549b55fb8c281fa2f3

SHA512
72c5a3b880ab85404da274da6618d1da6ada37784e507dd8de74b495769592f44e30bf4f796b1ad41d26dc2780587365a8b6b97e8d5a6c9c5250f9e8c7c73b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6e38a473-a1ba-450a-a7e9-5b9563543125.tmp
Filesize
4KB

MD5
6b4f9823ece6c4de60a7c04984e0efc1

SHA1
c18f37ec4783e0a436a6946771cd857d25f27e0f

SHA256
000e8fcd6093b910495a4b07f1e5962b7cffc091db765b7f711a1ece3e39051e

SHA512
c2f71901765b7c0d816cc643a5832e727fa807c88fd24670c5cb19515e02ad5a4c94d533c6ec9d2176f9c34e97da61e40d68b77cf490a3119cf31486c632ea81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
326KB

MD5
3b0556caf2534f529df81499e958e012

SHA1
1172258281080d3ceb62629524affed05ca66274

SHA256
410d2881a633ea80999d50bfc27bb784420908f566f2328b87ef850b4f35efa1

SHA512
f815bd40298860a096d1eb709788ec3f64a12c13fe30dec5d3dcba2bf3fed3b5a9078fbd1dff39b59efdb62c415e2f344c8e623bdd45923e01fb21d2e4cbaeae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
45KB

MD5
32123715132ca4e59f2b2ef5866e13c1

SHA1
544efed2dd1f447656e8565e968d7e324f6683fe

SHA256
0fcebe101734fb1f6f6f8f69909dc974ba6fdd1e8ff9d1035d1fa520e8c1673c

SHA512
d3ae6ceb3bbd65f2e0b72998482c43d484faf0c4c8bd82673aeec7743bfb71707b3878c0ef9025e18e82443040acb8b343b944baba01659c5e9f80ee604e25cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
29KB

MD5
9a471fe5dc5ce45eb4695df38119c81d

SHA1
006fe7413680d0c463fa541c2c84c76b1e5b176c

SHA256
2304f7f374cf50ca968e34c8bb97dc4c2c0b323061973a258f0fe338b28ba91c

SHA512
4e77ff774070d9e0751de9e4e0c2bfb46a62dd78cd7dd795dbf087ae05390cac6af932263522481afdef5adc99720219d3f0845111b4477d310ebc8cc7929ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
30KB

MD5
0cb31720d76001266edad3015a75a04e

SHA1
127ad34b81557f194fb7ab07aae0a9019b6e11be

SHA256
7e1b12eb83969a4f5be7166a2430b0595d2b93a4d70eea94b0e0e60123c3c39e

SHA512
789ade299a858d9291c92d60c44e2cac398698eb6cea82c44de47d5b2418419174e53b73e0d02b7f51e192729cc97bbb7dd888107dc8e03851a75e658ac71bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
19KB

MD5
e5e303e32be46298e29daa07dac8e34e

SHA1
919a13a9ae3469e17950ba29bfd65ee7a0aca603

SHA256
1dfb2a700d1131e93c057546466abc56f495890a07a699dacea3cff1e15c9d1b

SHA512
280356285ae8999ecc8eaa400477177c4c35abcbfc6fd8819e1d6864a6e45f87181e4ddd80d0295d1d68f20825d762a2e9dd3413c0228d7bb51c7674254c9c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
41KB

MD5
827c0b8284bf8e185be775493a34a30f

SHA1
61d35eed12dcba70ef35d7b4105796ab84c818b9

SHA256
dfe8d8ed316722eff8128413b60644ab82c93658688a22c46f2b91a49b5932d9

SHA512
1ba7798f1f044594ddfa35d6dba9b2f687c46b31845d7d3ee836225cd95c107c1250da7d950a5e7dc16f451aca5785726e3a5a4c767bcbe4f580b8a468647a99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d
Filesize
336KB

MD5
a990dee9bfb98ec9c7a41974de906336

SHA1
bf62b7ff8191045aadc8bd38513e42dded5e7e4c

SHA256
97eb19c93a409d63d5e1cd902f935455fe9782ca9b9f068bb7b2b28383f35377

SHA512
1a68aea24145634e7a02a9c2866f25929805d374adc7360ad5baa9313375e705e05b2d7d81fbd083bce23db6ba5b418a79a1a852c6b16ef6d54931801ebbc636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e
Filesize
49KB

MD5
6fd0a970396c33ce967cde85e6dc7b76

SHA1
18bf833a6f018465b3bfd4e873be2a7ef2a03650

SHA256
bd08210ac2f8bb43138b48fe610d8567e939822ae2d386a74bb1d9592810c63c

SHA512
0e53c89f8f171dbed82d37b96464833c34046e36f1fb063fb45cb6915613d9239d32cb5c812553e9743eaf0523b48c6285eaecb7d46132a5050437776c67883e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
19KB

MD5
ca7fbbfd120e3e329633044190bbf134

SHA1
d17f81e03dd827554ddd207ea081fb46b3415445

SHA256
847004cefb32f85a9cc16b0b1eb77529ff5753680c145bfcb23f651d214737db

SHA512
ab85f774403008f9f493e5988a66c4f325cbcfcb9205cc3ca23b87d8a99c0e68b9aaa1bf7625b4f191dd557b78ef26bb51fe1c75e95debf236f39d9ed1b4a59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
23KB

MD5
6b6e9fee541a5fba4bbc2dca93587cbb

SHA1
713d5b23254e53cd115db98fce16e47e0aa0e711

SHA256
d268b03cad05ba44503adbf37491b2defa52f489cf1fb6e4f8bee183ffa8dfab

SHA512
27fa4b2b727c3b43554f63d6ea2b152dc198c2bd75fcd3f8c6fe40bbe374e7c63a65fab034873564adf3ff2cd40a94b67b1a08044b90c0c036616c70a6e1b330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b
Filesize
76KB

MD5
5c381e19ae49a21d332f0b9c11fac932

SHA1
7fa6112daa1f3882d44004c32bc7c143a2883235

SHA256
5d1c05195f7481be69ad1e9b34239e6683bb31f8d97b33fd3dacd06f26ac0ad7

SHA512
b18a7fca3e0dba535170e185757f981aeabbe7c5a314e54e5e577f288674f55f404ea55f5c97d2bfa6f7d307e23920cfa434cae76881fe85e41d257dc9868dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
3d1dee60e0ce099a0a3567e3ae9d26bb

SHA1
1f8a2ca99d9673f3a563aca488e3eb1fd44c0f00

SHA256
fda33f381c7500a1bd3890f61eb2f207573c350e33a976c588163752854eb223

SHA512
f9f7847569c1eb5630cfbe1091582eddfc443b3e2fd53bfbc7936324de76f97b127033ecd75a00ead4f83ecbca648ae665b24af13805667aea60787a78935309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
578e89d0567b31a3e8da8775caf2ca33

SHA1
45a3f133d519ac378e9d3512712aaaf8c16389fa

SHA256
b04c0b78822dae36ed76473c62bcc7d2089b48eaecd174f5a39967518225a5cc

SHA512
e9bac33684c0112471c65b11b0261fc54b7dbbd0139f8c39b5cf03de2b3f6c3917b178bf48733ae06cadae4c362ec461ae0d69e95c59c5d48a5547fd70eabbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
7KB

MD5
ebb3898706a84c5f87819a654feda653

SHA1
8e158e316950eef7df488ff6b7c9459ac8a9373f

SHA256
930d67393f135fd9127c20aa2de28a4cd42d4afa2b8f07e3df0937302b83344c

SHA512
433d32cb639646859ce4806379bfd805b695b77361d57e8c34ab469546375fcec3c2f1c1f66045517580741a9e6ffe2878faed5a9b820756c0e9fe00187b8170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
6954f47d2f7f39b42e10cc49de9b3127

SHA1
2db72cdf4acb19e444ef8cb6558d7ae26fb269c1

SHA256
0f3b4aa91d1bc97664dab9b51cc1eb9271e27def1ebec8e4fc0b7874ee104b53

SHA512
5e34e2c053f2279134f089abfba924a0a4453fa7f49cc9d82384cf2896a115f3a675dc89cfebe8ce55d9bdde8c8ffd1563acd7cae637804c9f40ea935eee2042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
929251cbf3015680c711d9614c5e8130

SHA1
50706eca6dec5ca6ec22118f7fa01896dcf598b9

SHA256
58a8e843289c77a6c951e98bc396c1dc46ba86f75db36539e018c786c084ed7c

SHA512
8b37cf29bf9fe7430eb5b9719cae88dae87fc1abf553926fc0e2f11f216aff48451edb32cead37e11bbe2827347abd1304df553ca31a61458de84eac990556bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
5KB

MD5
6836186bc380aaa046e6bff78bfbabbc

SHA1
54b8b3bfcb3fc07f04ef03a655b204e99517b81e

SHA256
68ef99be02cb4ed732a9014bf019a648b7b37bf4bf99416ee86d2b8b8464ddb7

SHA512
7648bcd197977fb42a0cde163053e09e671e26ff638bf32504c6ef4927e8ce8915f74bf516afa5aab257dd0f8473924e15f8c9e006d78ceda2996be8ca0134ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
7KB

MD5
acb194ffe3202139583d19df1408f23c

SHA1
7d7399dc3258fc57457b84cabf9ea4b5ebe4d8fb

SHA256
964591b16204cc627224104fee28952ea9c8b01dd75b55c33dbae3a5d8b791d3

SHA512
1ddee93d90621a2a02922888c1b68fdd1d053066bd4ca91fffdda8b66d5f013cada33cfc049d47d67abf55a2743ad2125195b9d78f0abc6d38c7697a37fe8f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
7KB

MD5
faa5de741f4fb504454ab97fe7adf31a

SHA1
71f81b325d9cad8d61751143c472338b988c3769

SHA256
05d403e2ec54b7200ace6921a7628aa9d8c67cc55b4dda6100d33f1430707ef1

SHA512
ff65d7ebf0d10950b6cad27885a2990572256d4bb55cdd7ef05809b4a88b1e128db60ee1ddaa6bb93083a776f117742e7ec8e01f983b904ea6f2782655c7553d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
8KB

MD5
978bf3c53ca9e6b6553b1b4dada0a994

SHA1
8a562d86621d37f94d5e42c300a6590d9d93f4e2

SHA256
df34365fcfaa44d948bfacc49c761fbdfe8eac90cd8519f3560da97b09d9c31d

SHA512
cdbe9100ca163fa7f3091dbd64dbe9e5751357eb7d2203b23733061fcd04fadb0a6ad1f0c6c3a235af6e6cbee4e66b0ea639af9821a4b5ac0accdd46104c9888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
9664a200ab537925073bddff4d5eb535

SHA1
83d9b492086c265351b0388b212247e1696e05e1

SHA256
550f366fa9a7d7e9bb31fc0e494cdacbaad2e9e04e83542a63b84259a9136d81

SHA512
1d2e0d04b6d728b939d111d03aa9ed2e2eab23419f7ec859733cb26764af01512f4e53c86af8c91364c0d482793350c794d33975bf2c3fcae787fe7c1a3251ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8d1b9fb55722ff1d00ef7460f0988065

SHA1
62e9a50f911379db74da58a057da06ee6a221b16

SHA256
3b77de727132492d71d91c41296724b06b60d90ad60e0d9c823de5661b123517

SHA512
ab641284f53443b7b23b4f9f9fb1a9e58768355ad4e404e7cb2744cd690396efe51ed7fa5db74c5ee41e6c30941456074e424a26a53be9496191cd1be405a2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
875765554c0be02f02364ab237798c1c

SHA1
5c5326503cd93827d6431f1c82d2720f87178b9f

SHA256
edbdb75ccb2b26ab721d990c197b4047059e1bd6dca051dfdaf3e4910680e35b

SHA512
736026a86d43cd8133d626b7a6b04c84e4cdcf9abdecb64e882d033675dea78415950e6490d92eea93c5dcae6c9e1ee95b5ab76e2ea442854b8c818abc288ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
74275eb0808c813b750c3c497a27f9c8

SHA1
eec54f0cccf066ac4ba5365acb6a025039a6aabb

SHA256
30163478784b97797a2d52ce8b625dba5d3f97145c12276c887ba3f9ef14d0f8

SHA512
5371f0653852355158d0818f62bd8f2c1e871b90b6ad2224db0c6fc5319fe04de4415ec563177f9526f3589b7904689b9a623bc791ed34a3d649728d8ad8bd09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
75bdadabea16394ca7dfc017f2df0551

SHA1
7511ef794e8fde201b0c8187b5dd1e69643b70dc

SHA256
b22f54bacbff8ac75fc3fa5b99e8ad2c4fa83a5bfa73dcf3b46c66fdfcea967a

SHA512
ef07c013b2f568d748e4bcdfde359fd6999a713a963fd1c854a2f1f7df4db84482c3c1a79281855627591e42549b266fa15171ad583a26191904f62ad0933c23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
aa8fa2bfca54029c277ce84248bb3079

SHA1
d88e58b178159f0ed114eaff450eba18e1e8a263

SHA256
82c324d9be52cf1ea1002872e8b17831ea6c4e44f44fd5f076db36c22711f046

SHA512
0a56657992f556de4993009d364ec7ded8e11336a51d4498e42b89965bf9bf8d1bd2fc32c8f7f0828370700ca7fcc1f091a25c2a5878bfedd4ca445cdbf5fea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
6fa022547cde6e1a08680985d4bcfa14

SHA1
698a8d7650b93b96799ff24e5ae687be74a4ded5

SHA256
23f7c85a76cf7bc8aa5f7183bb1e40674de3f47088e5e3b0f1b6ae463e176fce

SHA512
f3329dcab0bef5d46e37c966cbd7e024cf26a0a0c21ed75db6411621545cba9889db293445514463cc6a7803233922f2c34acc5717482ec12d86fddd85529f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
0e54c74ed432f1f1144f26fbb6b37838

SHA1
5b963077e237b91879320f09f42a554b7d195041

SHA256
8e7370f4a3143075cadd1697de2e6857750546cc404b9daec574c4769829944a

SHA512
d062c4f086665af26fd7a7fa72ec7a6fb9268c04691d13ccdd33f96da7db58ea7b180f15150f2afe9812af3c5a34256c3dc0ba31d6b98f0c01e75e3018569c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
7d8b4cd8d63a818d09f6ba5e946f38c6

SHA1
ad4a181b450bac61eda7735236ec67def0316040

SHA256
9ab239b8ff3b6690f73b406750c51734821c3f4ae0be2fc855988506ebec3807

SHA512
695f3ef958dff1e395d20a32e51d119f07f15dc9b8dd602d1b0068364424cb746e1fe63dc4bf73dd4e3a103c44dddbbd97aa169206ebd503e6ab516a5716c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
9b68e9b931a56a725ac81775182bb750

SHA1
4984481bd23d9a671b25ecaa3eb9f7cd90bfcf4d

SHA256
4e27b21f53c4396bd46caf1c36b4da7e3a788c89fa46ee0ac047df19cd5aa01d

SHA512
eeb8ac9293d664f4469631bfcd52de40c46c74b20093eb4904efb8c774ec3b38defac99b36d983b3b78dc1c33f45fcd92ce5b4442ddd52529eadd60f4241edf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
634e5170783f8a63d074460471256351

SHA1
7d4992d5b0a15c40dd8292836c2e4bfdc7c466be

SHA256
c4e98b889d764d7b9f5aff2e3b14643992811fdf8d24102b024df1b98308d9ce

SHA512
e083ba7d9e25288997b3156cf760fa26c7a35c2093864d0a4fcbedf4d0416fe79a766f980652d91bc6cc519ed02ec9180c63717557a1b9219e323931f6a391e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
0bb53ce8f919e914af0c1b4609633a2b

SHA1
06a90ee7f6607a9e90835fbf4fb9b9f4cd4214cc

SHA256
a1218278be17cedc17ed15b50a3f79d99eddecf73a2d08882d398bd9120f5357

SHA512
25d5bef21edadff71871081f7e019fa356ebcc3f5b90150173f9b09d3585405398d13ca46d2447ec375027051f3bf9ed7a401c89e5bacef979eaeffa04ad5d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ccedbf9b0345c9f9de36292b61b7bb1c

SHA1
bc70cf3c62fe011b8f39bd366532cf8c649f2bdb

SHA256
f576e9e2f6170c67acfecbcf036bd173faf663d7c3d261e26398fc2229b20d66

SHA512
df35e48bfe9fe3cb13e9ba56f1a6c14296c709950515cb00e9432eb13ba0fb0d44d8e0d672895568f24800d99dac6c3813b73774212fc907468c3eed6e6d7876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
99d8e22f5cbef34ef35597164464c1fe

SHA1
e461851a2c0b24f51deff9b89ea98df05e862846

SHA256
73e9c0b28abf013fd8fbc4c8087741382922b6cc9706214082671f9c11fce570

SHA512
9e3e1b6b5f48f79ff8886f4ae1983fdfc576c0950f3d10409db625f039016b7e12d99a84d88acdbce554fff83ab6e11a5a374abb0ba141b12bdf933a31b0ae6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
6082a7ea6b35edba42b37468faa2f08b

SHA1
1ba17b048d4f7b81796f4e3806e18143d5c1400a

SHA256
037dbbbd81df54b1980a3c6dfe96c262bd988e294951d6d679d98417d105a42f

SHA512
98898dda7d031a2d057649e543b52eb69cb503d6f148ee31eeb79085899232dd2a46364e9360eed2956d0860fada8cd1bfb784a0d6250bc403ca94f7f397c7e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
f0cb42bb398f17b9d366e4b0ccb34d34

SHA1
4052052a4a46bf37eeec8d879f09a20367eb3d98

SHA256
6c4eaaaad30b1c39147f5939ec8b05d56f5ed160933af62cc972bb27bc86f070

SHA512
38029d0710e0e9de7eb7db8305f8c015bd391e7a1cdb5c58a7e947f616efa4e5641eec3724b8e05b0adaad56460d0856d85b31b55eed6455219a985be0e8758f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
253da3482dc443ba0ead624884c0b735

SHA1
35a7116dc9657cbb59d5517b557c1178db6fbe4f

SHA256
7261793e7ccdd0e9c6131a01850a80071feace5b1b19c505859d27bc4b995ce9

SHA512
afaaea7d060cfdd701b820f714684dcaf0bb6cccd8f4b3786f17457f35fb9d9232b4faffb5dd1b26fc48d041071100e3300463ac4432158e9aab35b0331a09ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
ea598d536c6fdfa7a4a4abd9ea17b31f

SHA1
62b3a8d41870c9037ce14ec2bd65ada5b1deee2a

SHA256
212a4a3e82bee1c7aee1aa08d9f8a29ac38963b9515c501ecdb12f409ec44b99

SHA512
7cbb6676ded136438c9df44811715454593ded39e6d2ffd6993d11d266d44a4f99e7cd78f817541afd9da42a73c4ca91d3c7be84a7905428010c68ed6206105e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\ca7f57a8-1085-4aca-8792-864d38a75403\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\ca7f57a8-1085-4aca-8792-864d38a75403\index-dir\the-real-index
Filesize
72B

MD5
47edb724b5b4b31140deccd7d1d0cd97

SHA1
30e4346b0870303590668e8fe80defc6bea6d512

SHA256
fc3fe3893a6193efd761b4b83c2ba8a28ba95da4207cc94c0a29e39923c5e8aa

SHA512
4a26f86466bd92cec7a8000796b19ab453963328c9f8ebecddc7466aa15b719a6730b37ac7749f924fadcecc37927af44d995d70d47be774720140ae6eaa6fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\ca7f57a8-1085-4aca-8792-864d38a75403\index-dir\the-real-index~RFe58683b.TMP
Filesize
48B

MD5
b13181cae2c127b5f47663b03a4d855b

SHA1
bf065cfa3566b4c045c08720b8970638b8b0d721

SHA256
4bed0ce259c6f48280c4b3eab4f97573634ea4c6be159a7024a647e48070a052

SHA512
78a045369a732eebef53ed074c5a75ae7f66a286c67e74fe540809ebb4811f3a835abfb625f82475475b5f4fa564d4cf8aef50e6843b35452aba91ddf0baae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f7fe83ee-6f02-4d0e-843b-2bcea96cf72c\index-dir\the-real-index
Filesize
9KB

MD5
a950b74b52daccc1734c8291fd2039bc

SHA1
4a1948f57e326fd93699d28accd6475824636965

SHA256
12414efc86c7cf474f54403b98086a83a6526991385924b83ffc3f01ef2bdfa0

SHA512
5852bc0ab22be2bbcf7f929e4d3c4e40caa565742217464f707b6e40360a4d7c140f327439d7f32ead2cda40a53342c6370765232f66395bac86236bf4bffb22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f7fe83ee-6f02-4d0e-843b-2bcea96cf72c\index-dir\the-real-index~RFe5a3356.TMP
Filesize
48B

MD5
ff75a37ff5efb6068dd934d4ea9ec16e

SHA1
112169cd341c5a784045aeaea1b4b84afe1b7b3a

SHA256
e04b0085f60ae2b9ceaf906192788d5e16af4b6010d96d2e246751ca5ef61509

SHA512
598b8ce3c87c3385d07d8d08d090a5c0595694cdc88466254a68ee5ec633dad1fda13d097af74bb6770d08fc5ba02e7d7a0ecf8867518f5c4ebfdfc0383b985d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize
140B

MD5
1d4bd66d5794e188d544ab203c124730

SHA1
c99fd7827630577910489f55318df6b2537283dc

SHA256
437001819f9a62f7ad3d5ff390e7357b5fc07427a620f46491d520a0d464c369

SHA512
e9630887e84f0f921d546dc3d3a22a6386ef745b9aeff2c4eac3eb186e8f87cdc950c90162c7cf9ad13dfe979e5df6db3add2d54ee6d6aa964c385e175cd185b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize
138B

MD5
dce3a4e9c8b36541b6f39710235a8d13

SHA1
caa822a87df65bbffb8dafb65f631cf5898bd689

SHA256
f2c77783afe5e31fd3ad7330a0eb9955fc932fd655aa9f822f82af29c313849d

SHA512
68281dd6d80e336dbba39508a7db1456daf8dfd62f993768639599b29f6235ffc991d62c3cde5305debcd39c86b8e40f6a77a7364a97c6bd82ccbf8a2e64931a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe5817aa.TMP
Filesize
83B

MD5
46609a3b172f8f73c76527c1adb2dc86

SHA1
4f3e5e82ed1be5c2724c7b2d1d89ec2843eee7ad

SHA256
ceb3539f01ec81b0322a7ca2db17654233ebb6f5f0ad49435e63036fc31c5bd1

SHA512
277e8d698ce877413f298eab3f02d8837b8c172a6db2a45d9fb0cd3cc87e5e44616f59f024c4ca016bcdd684f672e3bdd674dfa99f34cfeedfbef43606698036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
5d64a32bf9c85f3b77887fa58686df6a

SHA1
23a4a55ebaff6fdb2b792c36a7eaf2458ea2302d

SHA256
58cea6da554ee79139c9fd775c77dbf921c2a6d2f985fc3f11adebcfdf5c3e60

SHA512
5bf2c8570b2b775c4ddf48b35ace3f56b1c22a2466f7edb79084abdfd65dc71e8443314db28c44803803df01eea52b1f2a5607b9a99abc7e95f4d98c22b65e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5865ca.TMP
Filesize
48B

MD5
c945f3c8f9fea25ef1c89cf1e6f66298

SHA1
3572d2e93a19851522c8a0c7838da21a2cc28924

SHA256
e312a0b9455eddadc86bf613ba39925730737040f9651123270d2542f109bead

SHA512
e3d3bf68285e544d51c952f0b00e8a697b1356f11afd172b63d28b603188b5cdb157c1b6e18b9cb206d4cf2e2ec4872c55a289202dbffa05eddbddfb77fd6536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8c9b3c3022343d5d9c7e9e081a906521

SHA1
db81aa78d720120f9cc1c65e5cebe4d9ce5aa116

SHA256
a3af5d3a3ff11607d7c65d518b3a5c4cc5b760a1c1b2bdeae64aaa94b97a6a76

SHA512
c0d4f70ea2e5722f2d4eb66ffba86479da65383beac6bc1e87b2bab5aa469e91225595aaabf0cb1036a3eccd6b91d4868ef52b5c7cbeec185f2e6ebe2e290d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5c8f9b26a3b8983dfce645f04d56fafc

SHA1
fccf0178abde6528bca9f90264400b3db2ed46ec

SHA256
86e04960041f5102e5856300b431771b0a9474164065f05103111bb5366367eb

SHA512
4efd6f8c6c49c4ce9ebc7664281a35d0fe82f52b9014fa1dc7fc921da8e6ed0d4e55494986879f72e94d215656ab485b25043fd66f8734e8d17b00ee95c18566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
e0a7ac57a0ec560a5da1fbfbe50b1fc5

SHA1
88df946c8fbadcdaf00b33f92640e7a535c9a775

SHA256
382ef8ee0f67f2f93691a921663bd3455176fc8591ba534a35d07f1bbf13673b

SHA512
116c2cd645887edb2365d42a4fa87d8213fb3c996ed08a689b9fca971ecc589e7d03289a4e027d004a145580b06bb40434dfd376bccabcd57452b55d1ee191c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
9f2c1a9fb43a2c50cc440b5be847095a

SHA1
9e0848d09b477ff658b9f0e72795939d70c0db3c

SHA256
0b579db0034b9d9c7380724e567a0e5194b97d7888c655f1bbc7294b2eae75b1

SHA512
5a991f3ff76dcb3c3179b963762afcefba95c2b21145a36c593613ef1f765b3e17ee0623c51226f71ce7d3d4e95dcdd143ca23f51894a63363b0352e33b1fcde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
5e8eb02e80ec1e831da95b9059ea455c

SHA1
b6c275c1c80f679cf1326b9c4be6bed81cc9a4cd

SHA256
073800789aed1d75c04c05a6bcbf3b49ce48484969b1708fee71827456fb487a

SHA512
cb6c0e9e6a7eed90b6168d167213a1e409622f45312892ae8f919175df8b80b814453deaf754603072073fe4d79a2c6e81aad283f0865f045c7daaa90a98a643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
462dc6b1b0a49de5cac6bb690dc40e4a

SHA1
c5a152b80f582bd748dba453ebe59b801e7757b0

SHA256
d6a8594d3e86fc3887cc08b8c87777c5f4072066312f8b1aed98fa8addce19a6

SHA512
03ac131427b56ba9fc9c2e98e3124ac479f211f7a5c80b7478e5870586926ce83abb4d3c4cb1118fdd3809ece611c1d65e1ef9a3f48b0e82e847993c43a54fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
7049bd89170f3d18a5088a997ae70cac

SHA1
87cdeb7db7d59d3a69d23da9d92a41ad8d7b8574

SHA256
5124f3f7eded63a5bbc61517baad15f163aac22905bf92ab2d495cb99b2cf7de

SHA512
036a4e81728b5079ffedb9596d101923673f2f3fa7104d6eafc8e8c68cf5aebd076efa4ca423fdf56c4c1f9a15e3506db4b7c9e7fc8dd9929fbccf42af4efde2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
b6a72d7595b984d00c0f0fb1fb4ba617

SHA1
8a1fe1acfb7841112cb10af0842c8155e46d9880

SHA256
c3fbdd09dee79fbc3fe48988efdc73fdf22012144a8c8d3dd50dd69049c583ab

SHA512
78decda577fa7114a9356f6d19cc8a63c39f5f0deb482554a8fb03357a19624893e88799bb2f8d9a7aaecfed67c9952b9d03343febd49f2afdbe0ce46f6eb604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
e79415feeab6e938d7ac7f130e96094d

SHA1
45a614d8c4936750948a8965d862d6272c02ecc1

SHA256
e5571830e3d600b939fcc715557baa9c8146952a4788b84e2d28dbd32750c2b9

SHA512
49a3e92c0da8775cbf8b4d0555bf2508d21982ea87ba79466ed02d91b3ceaf1433b9e6b1717956d772c446abd68d7d686c4842d2b309ff7fc643f59881d6877e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
e61ea211ee40454b820809a923bef529

SHA1
f5d1d8a15dd78f7db45c3989266894bf8bb76dfa

SHA256
9b7a7ff8099ad2491e460a1e3f0ac69efbcacc915e9ac0a26e6cb92ac89a20f6

SHA512
901f6e3a245da24315ddd81d196d175376dd58cd5f834a1267b8f58a2bbdf5cc5cf4d7966f9d98294c991e14aa7645e872c0de76806e0f1f9737d0b7194b8e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
d05ccc8feee3e3a187634219b79e390f

SHA1
0b72e9d2d6b710243ad70a1cefb0668cf478c645

SHA256
efb1124f60047871b1b7d45fa1209ef2903f49280c13e9aeccac1d4bd709db24

SHA512
5ba46583a026fbb7c545e4bdbdeb2df474091e1587f48df9c7a03ffe0df5c9984208ab286ff3598ff6237397d94a11fc7788cf7d4838e132c8e4b11db3bda2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
0909c54338ed5cdaca963805b99a5a76

SHA1
00cc2ec64b4b55d09739465beee82144a6500949

SHA256
168d8286ccc7baad061e2d2ad2128e243385d6a7e2d04a0fa3d35a0ea3114334

SHA512
3000b866d74a6f242db7efe1ae355ccfb75d61d4c9323eaa7e20e26d47bae6559aa93d9b0218305646e8310a6a7d27d28edd372512b1dcdc1dfea32bc95694af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
5103e37fc8e07e739d84953c0acac4ce

SHA1
01c86bd8165ffda43aa7c9b64df59179c15fc92d

SHA256
8c1bc5190439e036e0ca1b79c1867f088d588bf128580da69b821d48abea1e8f

SHA512
fc9148514ce6a746c4573611f7904a7f824da91f9600067998965662ebe79548a5e20da0e43ccfdaa77bf9bbf1b44fee6f74d3131bce20a19312051224bccc47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1f2cad839bc6d8887baf71e097784356

SHA1
d165302ace065cf7a10f15733e534bc387666f12

SHA256
e5c7a91dc272425faef01a3878485dd0c7e4b6f33089941263cd46556d27e307

SHA512
7a1abe906956c533720e567156c75962f9d05652d823b6c678ebd5801483498a7dde2b4dc79388b1c6a5cc9870aeb194e4e0b0213eb32625ffd9595a23e85c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
fc8ac7e27b7955ddc70d323b37fafd42

SHA1
98518210b31afb5a11e95169bcd4eeb2e6ce96e6

SHA256
3f9ea2982544278460bce14d8d9af37d31f4606d3402cdbb25767c6675ab4293

SHA512
a3dcfa8c24cfbe3ae8379bf23c9433a8bbff9f18a7370420fb4e1ae22c0c74ba68dafa095bf5b253fd0325ae0d72194c4f74fbf44eeef18e9c6ddc0e3c2c407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b46832720455e1eb203ae893c681e7fd

SHA1
7674779b6578c692d8d3c5f3b2a044d122c8992a

SHA256
d833f4587b9eed7e6c6488807c71dd15d62129d61dcc1213b6d11b5cdb21afda

SHA512
c2cdb8754f5aff0676c86a41c21b7bcc22703d7b2124ee38c50e4dcd74c1c23052940c59e38eca89d4dee7649dc56eebbf0f05549f44fb40e696739f05dc1ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
9ad2c1e1d290acd2386a467ecf131c77

SHA1
45f7d98ec561d7f43d8c8bdeacdbc3024f9dc7d2

SHA256
7866970f552003d1294793903b082b9dc46fb254482db7ccdbaf7da457675f63

SHA512
32b19aeb99289b92b14834cbf16a8f1843c6431d5df86f3f6fdd64763e616e41ea46f1238ee236275b6ca5c45af6ec34c8196627e103c955c14b96052072c421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
372B

MD5
1b0e4e5f98b8374233fb4b5299d43e8d

SHA1
5b38fe9b866373f01437b1619fe4c9fd4cf3d4ff

SHA256
6597781f3c28aef82fb0015862dda0c96c4eb481743f7cfa4f5c65cc90ef1e35

SHA512
45bbc5dbc5fc7c2d242b16a24aae3416d1901d477b478d9b27baa6cda455e313ad711b647b395ff3f7638eb91c880d505f4686ae4e29a471bc11f7fceddec6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
e2985f56099a132373e2eeb1c44bd5d4

SHA1
789f7bc3d2a480fba16113304481fd49bc74d051

SHA256
f4ffd72b307b8a06246c3f48c85f8f82fbed65cb0c7e72e3943c3dee761b66ef

SHA512
cdecac9ec94806f304b1ebcfa25e0d36e30970a73dbdb95c8b5077333e9512cd99af375a6bb439977eea0ed757078e162a943eaac5fa4f7c16c37b3e46b50737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe56e1e9.TMP
Filesize
372B

MD5
d1268720a767add6a9a2d1c81aeb4092

SHA1
04fa5a483c34f6747b5a8dec8f482afd1c7c131c

SHA256
bf3f9b511e74e70f2d7298279b0b2a9b9b02a65e3926eee5a2ece9b6a4e828e4

SHA512
b6deeb74b1e2b260d1fc2cd40495642018e6561e5bd64bc94bb4dfe22597fc5dbe11869a28eb9187eb0cff863cc7605ded5bda57904d8883c4faa1d75ce60df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\efaeeb2c-9f21-4fd7-930c-716a4893328b.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
40af8f3b36762085138342f2d2ed5a3a

SHA1
d00be17896b290e4c10d65f5bffd728efe015e35

SHA256
881b0d75738cc272611926870a5a78010a684e5ae586aa754fbdfbd7258df6cc

SHA512
98f508b8c95ef9798aa82028cb2c4f840152e8d0b094e4c2c3eb57728785288aede4f7aab1d4b37722f3ccbf8403704a0d4980d8c12efe99a15425dfcbb01c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
adaa15f265ebc6a15b4437911a7caef0

SHA1
ffd80dd530b05039d68a1f33cb54a950eb1675f8

SHA256
e1121c0147b003e6a043f1a519acff38e1ea18f54a3b68fef78316234d163060

SHA512
7cb8043cc0ac13652ec5933aafe476b1b0215c46c4560e32f44cdc121773f90968880db9729ced794b50ad0fac6fe283d9837d64af1941a670eb83d6a5b51273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
76c57e051e0a0cde15c8c7d0c18b4502

SHA1
a4d89dbb4e32f3db701499b7518c19ef80825747

SHA256
78d9b0cd6bb6a96581851a8b4d2e18e3232604e4c1fe7c55f26417893ea4fbbb

SHA512
65b36b7a4ef4b44e46b04d53fa01c01bd194fd7e0fcaaab98dbf1b38b6374b201b9fdda35e58f476bbc0767343534cf8d91764c7385a5845e7d347bbc62abd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
d8605fc6b13f301edf7b25d36f675265

SHA1
9c83edd889ac0ac77b7b54d42acaad33df25fa94

SHA256
0b908ab4500fc8a3a9f1a5406e55a3c25bdfdd20e8858fc2e67aabd46c8852dc

SHA512
0d550d414eab8ab72910d6ea89833bbb5db0dc81856026a6c01c4de9b199b2cf4aac90f6487519d121a185bb3ce6cb5dc24ec5846f60ab1020f3b5b835d4089c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
e135741eebc1d358cc8ba4748ff45afe

SHA1
7eb0e5759b9eb6c4418de2e1d2e4166e513273c7

SHA256
ca2e361a4f36cca074772068ded965bafcd572c74d10e3d68aaf3e496d480e85

SHA512
553021fc9bb01d52d7ee76db00cf7e2d0db81fb66b9a5b66ae6885e6d4463822a1d5bb59215edbe4f9dbe29a9b7bbb3e13f6b8fde5e22f0c05ac6fc303e67b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
9aec85f3480555a51fc0577c1a2edc4f

SHA1
2d7198020d64f291aa5f23a34cb391a1d740e96d

SHA256
fbc6123a343179ac0d9b19984a39f837950364ff55527be746bda312c26dbef7

SHA512
6357f7d7fdf1001e726e4db2c1f6136034a7c0786eb16d474fb0a90fbe6a791411f2b7a5efd5c37bf216debc02aa6d90e5d56c7ba78f95aa5db4f8d042bc75ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\be517402-ccad-451d-b49e-220e59198848.tmp
Filesize
13KB

MD5
c0fc16547ace7af15316281afa423228

SHA1
e239e0e25ea802b418113ce303024185e6c04ee9

SHA256
4e4911b7af53d8a038de436a9cbecd30f8acee730b342846abba09d8ecde48e4

SHA512
f5fc241ce7f220918b9a13f4b023d9ffd9fff0dbecb30dc08e3d44242ce03265aef0fe075b599b1f062ea2a5914c4e9a657b9d47d7bf8afae98152b03e595a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwp5xmvg.4ko.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
0ed149f3372b9a83f3463e1da9bcbfa9

SHA1
5d6a9b4c1edd712c8bc546ea7940575af241f319

SHA256
cc25c4ca4cde14ca028dd09d324c0f6f456158e3b119b50fb5f4805d461e444b

SHA512
b76538da511922417d3db45f85225eaf099e574c82d4bd8115fc8ec217978b0c218d4c77ab69fd8939afb52ff299d8fa21baf2bf1c4bc79c650c783ab13f98a7

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
10.4MB

MD5
036b05622fa0911242b700c000019e43

SHA1
8cda02a343f881b23943baf0e9e58060d2877b1f

SHA256
9286783745781366a7a467a59105064844e3424b348012b22b8c21ff91d4a080

SHA512
24cc47b928fa9abbc1eb2af9f7aae90004ba4753c654ac8c920059aa5a440ed07bf2b9a1ae21ecd845772a2a52198d5e796d46757b53aaf0e20e96a5b2b5f968

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 464435.crdownload
Filesize
872KB

MD5
ae3865f6d94f6a88c8ccf9d19b135820

SHA1
a0f1c953a24dd042acc540c59b339f55fb18f594

SHA256
6589008f680328707aaae689a396ee0fbcd180f797228e36cb7019e65ee735ca

SHA512
3ddfb23826c8d1f2f0ceaa7b450d7f2cfacb15f9f18117cdfd8588f88b89e16d70c96c395d9fe5226d934c4a6e62154a58684aa59182ee4e9b745fb1681ce4b4

Download Submit
C:\Users\Admin\Downloads\wannacry.zip
Filesize
3.3MB

MD5
faecb01cc94bfdd12209cf6417819897

SHA1
2ac41b764cad57a8cbdbfbe666ea55bd0a96f3c2

SHA256
32786cee70a09908db0ac4170ef585c1d9d2c91bf29003163c35b4d1269bf983

SHA512
3a1388e1d82069df44d79c23084a6a3d3182334207b7a410741e2b867d1f4598034741af16033c39f97ddd3e386d2de8167f72ef0a420afd51d28288aeed5a8c

Download Submit
C:\Users\Admin\Downloads\wannacry.zip
Filesize
3.3MB

MD5
faecb01cc94bfdd12209cf6417819897

SHA1
2ac41b764cad57a8cbdbfbe666ea55bd0a96f3c2

SHA256
32786cee70a09908db0ac4170ef585c1d9d2c91bf29003163c35b4d1269bf983

SHA512
3a1388e1d82069df44d79c23084a6a3d3182334207b7a410741e2b867d1f4598034741af16033c39f97ddd3e386d2de8167f72ef0a420afd51d28288aeed5a8c

Download Submit
C:\Users\Admin\Downloads\wannacry\@Please_Read_Me@.txt
Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\wannacry\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\wannacry\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\wannacry\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\wannacry\c.wnry
Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\wannacry\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\wannacry\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\wannacry\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\wannacry\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\wannacry\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\wannacry\wanncry.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\wannacry\wanncry.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu
Filesize
872KB

MD5
ae3865f6d94f6a88c8ccf9d19b135820

SHA1
a0f1c953a24dd042acc540c59b339f55fb18f594

SHA256
6589008f680328707aaae689a396ee0fbcd180f797228e36cb7019e65ee735ca

SHA512
3ddfb23826c8d1f2f0ceaa7b450d7f2cfacb15f9f18117cdfd8588f88b89e16d70c96c395d9fe5226d934c4a6e62154a58684aa59182ee4e9b745fb1681ce4b4

Download Submit
C:\Users\Default\Desktop\@WanaDecryptor@.bmp
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_860_LCVKGVCBBJJTBYSV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1676-3826-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3196-143-0x000002447ADE0000-0x000002447ADF0000-memory.dmp

Filesize
64KB

Download
memory/3196-144-0x000002447ADE0000-0x000002447ADF0000-memory.dmp

Filesize
64KB

Download
memory/3196-142-0x000002447C1C0000-0x000002447C1E2000-memory.dmp

Filesize
136KB

Download
memory/4012-5296-0x0000000074560000-0x0000000074582000-memory.dmp

Filesize
136KB

Download
memory/4012-5613-0x00000000742C0000-0x00000000744DC000-memory.dmp

Filesize
2.1MB

Download
memory/4012-5443-0x0000000074560000-0x0000000074582000-memory.dmp

Filesize
136KB

Download
memory/4012-5444-0x00000000744E0000-0x0000000074557000-memory.dmp

Filesize
476KB

Download
memory/4012-5445-0x00000000742C0000-0x00000000744DC000-memory.dmp

Filesize
2.1MB

Download
memory/4012-5449-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5455-0x00000000742C0000-0x00000000744DC000-memory.dmp

Filesize
2.1MB

Download
memory/4012-5441-0x0000000074620000-0x00000000746A2000-memory.dmp

Filesize
520KB

Download
memory/4012-5293-0x0000000074620000-0x00000000746A2000-memory.dmp

Filesize
520KB

Download
memory/4012-5440-0x00000000746B0000-0x00000000746CC000-memory.dmp

Filesize
112KB

Download
memory/4012-5439-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5675-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5297-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5295-0x0000000074590000-0x0000000074612000-memory.dmp

Filesize
520KB

Download
memory/4012-5294-0x00000000742C0000-0x00000000744DC000-memory.dmp

Filesize
2.1MB

Download
memory/4012-5607-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5442-0x0000000074590000-0x0000000074612000-memory.dmp

Filesize
520KB

Download
memory/4012-5657-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5663-0x00000000742C0000-0x00000000744DC000-memory.dmp

Filesize
2.1MB

Download
memory/4012-5665-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/4012-5671-0x00000000742C0000-0x00000000744DC000-memory.dmp

Filesize
2.1MB

Download
memory/6036-2668-0x00000210D2630000-0x00000210D2838000-memory.dmp

Filesize
2.0MB

Download
memory/6036-2555-0x00000210D2630000-0x00000210D2838000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads