wannacry | hxxps://github[.]com/fabrimagic72/malware-samples/tree/master/Ransomware/Wannacry

Analysis

max time kernel
628s
max time network
647s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
25/12/2023, 12:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fabrimagic72/malware-samples/tree/master/Ransomware/Wannacry

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA91D.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA934.tmp	WannaCry.EXE

Executes dropped EXE 25 IoCs

pid	Process
440	WannaCry.EXE
3876	taskdl.exe
1896	taskdl.exe
2980	WannaCry.EXE
4844	taskdl.exe
1500	@[email protected]
4836	@[email protected]
4416	taskhsvc.exe
2244	taskse.exe
5056	@[email protected]
2456	taskdl.exe
1832	taskse.exe
2452	@[email protected]
3604	taskdl.exe
1900	taskse.exe
3104	@[email protected]
3268	taskdl.exe
3148	taskse.exe
2808	@[email protected]
4584	taskdl.exe
432	taskse.exe
3376	@[email protected]
3488	taskdl.exe
1444	taskse.exe
2976	@[email protected]

Loads dropped DLL 6 IoCs

pid	Process
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2400	icacls.exe
2484	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bxdufftkhvq402 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1199853020-417986905-91977573-1000\{51F3122C-EE38-4242-88A9-C928F9357250}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000099577a611100557365727300640009000400efbec5522d6099577a612e0000006c0500000000010000000000000000003a0000000000acdce80055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 8400310000000000995788611300444f574e4c4f7e3100006c0009000400efbe8f57677a99578c612e0000006857020000000100000000000000000042000000000059b3db0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000099577a61100041646d696e003c0009000400efbe8f57677a99577a612e00000060570200000001000000000000000000000000000000acdce800410064006d0069006e00000014000000	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4820	reg.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
396	msedge.exe
396	msedge.exe
4088	msedge.exe
4088	msedge.exe
3500	msedge.exe
3500	msedge.exe
1992	identity_helper.exe
1992	identity_helper.exe
2596	msedge.exe
2596	msedge.exe
4764	msedge.exe
4764	msedge.exe
3692	msedge.exe
3692	msedge.exe
4268	identity_helper.exe
4268	identity_helper.exe
2016	msedge.exe
2016	msedge.exe
2164	msedge.exe
2164	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
3752	msedge.exe
3752	msedge.exe
576	msedge.exe
576	msedge.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe
4416	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5056	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2944	WMIC.exe
Token: SeSecurityPrivilege	2944	WMIC.exe
Token: SeTakeOwnershipPrivilege	2944	WMIC.exe
Token: SeLoadDriverPrivilege	2944	WMIC.exe
Token: SeSystemProfilePrivilege	2944	WMIC.exe
Token: SeSystemtimePrivilege	2944	WMIC.exe
Token: SeProfSingleProcessPrivilege	2944	WMIC.exe
Token: SeIncBasePriorityPrivilege	2944	WMIC.exe
Token: SeCreatePagefilePrivilege	2944	WMIC.exe
Token: SeBackupPrivilege	2944	WMIC.exe
Token: SeRestorePrivilege	2944	WMIC.exe
Token: SeShutdownPrivilege	2944	WMIC.exe
Token: SeDebugPrivilege	2944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2944	WMIC.exe
Token: SeRemoteShutdownPrivilege	2944	WMIC.exe
Token: SeUndockPrivilege	2944	WMIC.exe
Token: SeManageVolumePrivilege	2944	WMIC.exe
Token: 33	2944	WMIC.exe
Token: 34	2944	WMIC.exe
Token: 35	2944	WMIC.exe
Token: 36	2944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2944	WMIC.exe
Token: SeSecurityPrivilege	2944	WMIC.exe
Token: SeTakeOwnershipPrivilege	2944	WMIC.exe
Token: SeLoadDriverPrivilege	2944	WMIC.exe
Token: SeSystemProfilePrivilege	2944	WMIC.exe
Token: SeSystemtimePrivilege	2944	WMIC.exe
Token: SeProfSingleProcessPrivilege	2944	WMIC.exe
Token: SeIncBasePriorityPrivilege	2944	WMIC.exe
Token: SeCreatePagefilePrivilege	2944	WMIC.exe
Token: SeBackupPrivilege	2944	WMIC.exe
Token: SeRestorePrivilege	2944	WMIC.exe
Token: SeShutdownPrivilege	2944	WMIC.exe
Token: SeDebugPrivilege	2944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2944	WMIC.exe
Token: SeRemoteShutdownPrivilege	2944	WMIC.exe
Token: SeUndockPrivilege	2944	WMIC.exe
Token: SeManageVolumePrivilege	2944	WMIC.exe
Token: 33	2944	WMIC.exe
Token: 34	2944	WMIC.exe
Token: 35	2944	WMIC.exe
Token: 36	2944	WMIC.exe
Token: SeBackupPrivilege	3948	vssvc.exe
Token: SeRestorePrivilege	3948	vssvc.exe
Token: SeAuditPrivilege	3948	vssvc.exe
Token: SeTcbPrivilege	2244	taskse.exe
Token: SeTcbPrivilege	2244	taskse.exe
Token: SeTcbPrivilege	1832	taskse.exe
Token: SeTcbPrivilege	1832	taskse.exe
Token: SeTcbPrivilege	1900	taskse.exe
Token: SeTcbPrivilege	1900	taskse.exe
Token: SeTcbPrivilege	3148	taskse.exe
Token: SeTcbPrivilege	3148	taskse.exe
Token: SeTcbPrivilege	432	taskse.exe
Token: SeTcbPrivilege	432	taskse.exe
Token: SeTcbPrivilege	1444	taskse.exe
Token: SeTcbPrivilege	1444	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4308	MiniSearchHost.exe
1500	@[email protected]
4836	@[email protected]
1500	@[email protected]
4836	@[email protected]
5056	@[email protected]
5056	@[email protected]
2452	@[email protected]
3104	@[email protected]
2808	@[email protected]
3376	@[email protected]
2976	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2488	4088	msedge.exe	18
PID 4088 wrote to memory of 2488	4088	msedge.exe	18
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 5044	4088	msedge.exe	44
PID 4088 wrote to memory of 396	4088	msedge.exe	41
PID 4088 wrote to memory of 396	4088	msedge.exe	41
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43
PID 4088 wrote to memory of 1140	4088	msedge.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1588	attrib.exe
3672	attrib.exe
3560	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/fabrimagic72/malware-samples/tree/master/Ransomware/Wannacry
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe0,0x104,0x108,0xa8,0x10c,0x7ffcbfca3cb8,0x7ffcbfca3cc8,0x7ffcbfca3cd8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,8475926938730724518,319975027789377348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4264

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ec0fc43ca6a0480b833ed0093460ff99 /t 1096 /p 4088
1⤵
PID:2552

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcbfca3cb8,0x7ffcbfca3cc8,0x7ffcbfca3cd8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5404 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,17869146990247690193,3762157155413318458,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:2064
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:440
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:1588
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 88901703506307.bat
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:3388
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:3672
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1896
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4844
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1500
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:4524
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:1468
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bxdufftkhvq402" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bxdufftkhvq402" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4820
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2452
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3604
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3104
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3268
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3376
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3488
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2976
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Executes dropped EXE
  PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:3560
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
585B

MD5
ce28f9914c656eb522bce185c0523565

SHA1
3ee4b6b9012642d60b9ef3bf6254c98cd87c2283

SHA256
4cf1f1d56d5631d882239ffda7332047081ebfc358d38da98396f7c718b2261d

SHA512
89610dbbc410a352552cba9373e4c58156ab88575a8afdce8494ee4a719caf9bb1a047fabba1db4d19e211c652a600ef301d916084fc3f8342929cdf27152112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c6e6aab5327285dca72dfa3f8695741

SHA1
0ac0a9d43cf9dc7b2776c715ec8cb15630a4523a

SHA256
0959ec2fd96c322f7c1b2796b02e49951f26a8502517c7caa9937633c5b55fa0

SHA512
7f0881ee5a766a67239caa09315b7f971f3f21bf457cfd022280babd51c4de75e5d238670767fb0636e641e3f3ba17a872d8edc372abd68940d89d61e008eb5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c0f73ef8d2c8b99b9013c92c4ea7a8f

SHA1
3f6457260c34b4d69b15d6c9b895e9de1ae8e8c2

SHA256
0addc15d2db43b0f7bce73525294c298683784dd53229a196beb0bcf79c053b5

SHA512
b138aa56b8ec08c42d18aef8cc9751df29e55075add4ede0371fe110d266643000f51dd8813b172f0ab67ac5430206bea1f221bba431c1ee93d8f03933d0eadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
92e040d7c1eeb7646714b53e4a95eb91

SHA1
4eaae5706d13b5f0ca9f2e4c994cfca63890dd7d

SHA256
5342d5a6f08451e0f1c54f8e3658dd91eeba2be804f3582ddf8d6a4e2d0c6468

SHA512
e5b4c0ee79b7536679bf2e54f865f91b4957d4f66e498a026b88a6c14a13163f897f54baa9da747c1523eaf20d29cca960b8949a08a7b0ab9b0bbe92478a34f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
482fdedc8bc6720b85d2164fe3ce1ba1

SHA1
25aedf05c59ca3ea356cba55458dd2e9371d4d74

SHA256
2bc3a51a1beda38b88983fe38de8ed8bd2872668db7cd009f2ceb71021f19fa0

SHA512
86a64e72ead0b04fcc519dceb569625efd0dc0337423696ff2fe93a59cfcc3c4926ed8b3cb0f392db9bfe6a0560d395c18493bd0450eb772bf52155ae6588597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
128KB

MD5
778c37199aeaa15ad6d1080b564c6377

SHA1
01f012ee3a3412cd0bf4ad6863209126a1c29090

SHA256
c6ad3d7318d8671448f02136b5d3a0e917e89dabc00c83a594fae6607a5aa3b4

SHA512
5fa137c76ccb5085aa9f8eee4f3a9bcf86ea506fec2258ec2c68e5171ee143f767046f8a919ae0618e36ce86aed9aee1d76f3c0ba568353b1b87c93d7e008894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
130KB

MD5
073ee06ce49501a3c7cfc978c08a3490

SHA1
732b131bf8f7bca3dd126610418dbbbfbbefc002

SHA256
8e637b74b527b919a9399cda529d37de7ceb5e80c71c57b01ecd2792528f8cab

SHA512
66740747f9726e9795d8928cbe13d48a447afb4143d953c79c1c0c2628e233933366bea631eef6ac0430e46bbfff21c5cfd42861632f2e6f695e421b2fb6025e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
165KB

MD5
f216750cd1a77614ea579faf69a87b73

SHA1
401000fd8a2e44f44a16dc8bd71b070873322767

SHA256
7ac08ebf1dc438bee6903d169cfbe976e41a249443ba5df0cd745f24c43d67c0

SHA512
94d58a9d3d1eea1d801597d2afe7da1dce7053e354591b62a85e68e64155bb95971dd6c8270be4f83ac859638551856389e3acc49b1e93198a8af8e2cc4df38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
29KB

MD5
82ca0956bf9861023141a9efc6fb4ada

SHA1
49db60014cec954d11c19052b1ec06199c5d71d1

SHA256
d1c0eabd6506042502ca6080bb84d9e83255873c09eeff7789aabdf21a802d6c

SHA512
3fb79d3c8d21acb1749990a6e3fac43c3f37645065b7d7438ac55abaeb0fa5cf57feffdba3d561682b8163c6e10d3c72cc0156d4287a3042e7a22c3372d3d181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0808c521e710cee7_0

Filesize
312B

MD5
1655af45b50438f5493cfb7b8dbe1381

SHA1
ddcef8136be219aa89312d68ee8d71441fac2819

SHA256
a8016f0188939630a217de0773639c86984ef5e8f7581e027d81195462189437

SHA512
53d2fbce5ae753c3cb34dd6d7c0ee4e0bb63f2ac64ae50f63be2423b609e6a519f567e7e1f99825198ed1c7e3787d093409751b4b87eb5d54463c2b2a418ae64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\40cdaaf8bd9d351a_0

Filesize
312B

MD5
ee8e1793a38fcf9eb3b0165235d5c3e1

SHA1
8048726f2f44923c04c7c0b3a478313e785e44b6

SHA256
d1b5c9b679cf483f343b8f6707678db0f16325f8e9449783ac2cd616088adf53

SHA512
e94b3da7b61b2852a567257e13ed63414cb69b3607102c38d99de17270ecf07e9797e2c509dedae937d78921e11d783bbf95928751d032fc4a280d2b2e593ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\931ff3ee2cba732f_0

Filesize
257B

MD5
921e7b3ed3a5da18ec8007b3471b1582

SHA1
47601d68dfba9cd89f93171063fa563e0136277f

SHA256
495fc60615b317976c8e43359fd1eefcbbe937aec889786871b9fb300cc2f1fb

SHA512
dfb1328e08842f17af8d3098b233979d9e7c93e2cc332a57a2f62b7f2fb3775c16619f01e8020fa15ddd5a5981202add9872296d4797fa6fe97c45f826bb94bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
20120717fb573c0418317d428a48c7d2

SHA1
d0a78c2f253ac6a5f07e4c83631051081f00c175

SHA256
a003de87968db4eac19c1fe65d0fea5a46e950cd862c4d0f182584b70b77547b

SHA512
d31afa4bd33c0101290ecfc1e2133cbfee3ea8f0021b8eb39d3918f86569b3d8413a59c5b99c59b9420dd2d4c896f328628f314c3a72ad4b65f25498d7800730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
728d889f91776b3526153d1254da0703

SHA1
c6574e15fdcf9be5d255653d59e0e09152bd792e

SHA256
8d0df75cf01227ad158447f87a84bf35a10ec4e2868308cdba919ecd5dfe9848

SHA512
0516d4586314b17205203a3e05e97b3e2c246b477149624b6b937fa75e118766478f49e7e292ff1e18d4c2319b409bcf8e7269035731a78d7383354001f16d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
334fe75b71558db6f87688437ea3ec9f

SHA1
d38e806ba531aec41be57f2f90b3462f7d4e85fd

SHA256
80080b32db9df4b36b8b90b9ab15df57d33625871407705e50b3aa04e9aafac3

SHA512
39ac0041a0d2a466dd3c2d32b7ff5558a587adb202308d872740c060133da7cfc136ff5535eee0d5add3239b23b1379e8e36e1c5e0bf48a57ad2122c70103b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
07e0b4596727b515b325f68f642b95a8

SHA1
cb62c9a90c5139e95145a17f0e981cff53e71e43

SHA256
8e97a9308365f988a1f10e5e52e6fe4457a607ce79a66fb3e7f2474601552b96

SHA512
4cb09f45fc7cd393d655ec5cabffd3044298d36b20d34eb54cba43ff02d3c437b56429efa9a601d2bb6befb69da67b96686eed45063111b866071537732e4733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
fd242257b584fa890aaa0f288cd1777e

SHA1
84b1f414a36b4416fe5da0defe2b479d856338d1

SHA256
7202daa7199a09e95089655026bebc53a2f85f9198986700d26894ae7d9bd892

SHA512
b2a118548f601bb77144cc8de45688eac5c22a5d0148538bb725fdb9289e7d10d6000487a0ee0b3e6364d0ad26db7117e64923284441baa8e5b1c9297bc8b687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
483db1a222ea181b3ff01a57ab11e0ea

SHA1
5995945a2494de2effdaa1d34047070f28037207

SHA256
caa489346b6bf7ba9f5c7e81478b712e2500a6ae1883ce3245e760280fe19a53

SHA512
0d3ccd76056b33a52f5d31206276ef6cea4cfa031fd972b6f0f8225b1ead5f164c40cf16de0194586e088c113f9fdbdba4b6ecccfbd7ea93da125f9ae6495704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
2115e1a84ea1d2d1fa032aef446eb0c5

SHA1
9b703069e2f6d8726c3f631d8c38549d26d30f8d

SHA256
f7663b780df80d50b20c66589235cd6b4b33cb3b818bb540cd40e8e7e0cbb147

SHA512
13d9ea494c29055f896d420946b7fe6e9b225b94bc373ca9b230097e458b67e2ad62f54c6c6871aa4daba9bfa2e5dbec761bdaf00accc46fbc84799207b07709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
8KB

MD5
d3164dcf7868ba70e0c0860e7e4a095c

SHA1
4ba8e85aec581698af1c0f458526e5cbecd1ccf3

SHA256
3baf3918b55cd86a060ef29691b171464f63775f3e1fb753868b36639f49694b

SHA512
68bf3f7a741bb48ddf91959ab0284ed23cd9d20bd099c40fc73022cd62eb5791bb2b9b369b2486591e5d6d48ae6da2e2f2671c337ce73532485cd33bed9f404a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
14KB

MD5
bbd31b7589d5ef94ec09b08cdb1964fc

SHA1
ab0c40b90fa84c5af1619504945df8a7c5abe6c3

SHA256
93542d17591614206c49567b64781f6a4436d9ad41841c2a5473c78adb73081c

SHA512
d834f5ad098199911888693a22fc349f23b4172794cf02cf9918ad4b48df6604a3487c5adee23dc6b267089e6dfac858b09923c002c28c80758ff4a50f131a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
56476f93c548b05c43bbd57211c27f7b

SHA1
d8b1b436edd4aa18224b4e95203accfc414ce06e

SHA256
7bb6588dfa5d04a942354f88aed1c1844dbf19d179bc147efcf1552d6bb134fa

SHA512
2e72da46d7b5babaef86f245efd7f81a0cf66aa6b874626d9aa231db8b3a50d02bc0621a5d3fcab210812be4610d54b318ed0652f7953954ab97ea5af0a2ccbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1020B

MD5
198af275bdf564db70fe00d436f3cbdb

SHA1
e3f9129df4155751ec8cffae6c81fbf8605cb4ce

SHA256
dd4dcf6cb35af5d1faf1ce9edccb41f68825a0c662ee8b9ee35a7f7a7daefcd2

SHA512
61e7861cf45c74215cf2d05b68161ddbe826e1996bda137734848a5cce5dc275215b535f0cbb4e9feb05b326a5f14772fb254cb95b22ef2ea75bee6164fdbfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
c4897aa78d9edac4710b6abd9081210d

SHA1
82fff6d6a6c64af2e1e64a0a56c46cfc2a3470bf

SHA256
1c2dbad9b7fe623f7907fe8875ae1df241de6ea09e8dbb063b885983420fc005

SHA512
207439940f16c3a029f465c4f4b6d290f15deea00c5d46365d2bbe5a27c48371315a7a5e39366638a4d256c843470b6e9acd6fc7c0b85aac10dde6176aba026c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
bd614c435f494d5fc00cdc4774dc1895

SHA1
23e5ab611e10a19d98d2f8b00b8f08f0bec640dd

SHA256
5b6579f8c324a0bb9667f1b3c5ad761f4de38cb4b10737dcd3de08dfbad790f9

SHA512
9174b8c1c4a1c9acf762de779e3a3a97e51206e2ea19e9d53f6e7c1bd8b3dc163dc46d069e75919bdad87ad626780c45262fa3af2275b1edf179b55725c758d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3af2fd5821ae621a62bd308e3197540

SHA1
a30d45dca680ad3b73abe2b22ec7b40fb4bda315

SHA256
8a6fac441517cd94a8cd45e6797ae36639a193526decc313947af8a462f83b3e

SHA512
ab9b330ed6626b79298bc7183bc332b8cbf50b8be8aff2d298da07806531a1fa9f7617fd6e2f2fb300859a2bffbe15880350dcbf871625be36b37cd90f564d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92bbf04b1a04c0cdd0884374e3b12983

SHA1
f6df4c7c1c258a2aba46321a2c374d363e3af61f

SHA256
d46d64c8f206b3fe0cd556873b907e5290e3edec4f52370b3ce4b304ed6e550c

SHA512
10b3209cc86c6015f99389a12fb95cc22ab2660adfe7b8ef4ebc7210108e06bbb5ff47de0f5b9e4a9fb858a3ec9961747ffc1064caaabe361b77694225d7ccf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a70dbd524045cd04087c1bfa74a0feb

SHA1
ed7fa73871561fa9147c6f3000f41fea276b6ba3

SHA256
42003e04a05863a130981239412d8107ed73c460ed5cc4c779dc4b3ed5ed87c1

SHA512
9298d141d756da471a13c207ee460c323ea1dfd23dd65e7b6146aeb18dd0f6b85c6d7ea801142e744034f543e62927aadea3552f1819715eee16c8d2dd14bc54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c95576592aafd1311727452c5d0d71c8

SHA1
03c25b5081faa2ef02acd6fbe98dbba53b0e16de

SHA256
eac8ca5f84b238bc048cbc62a59de405b79a67cd0d5b32acb471bedfc4c2900a

SHA512
74391a4313b19f5e25c4aac8d4bade5742c3a4a2af25d1afc7688e12dfa9d13f6c7e8376140222a0af26bfd9bad3b519fd8c7b65ed6d505fd8477fff01ca2581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4dc9d60f6a1dd2dd953c3e5b41b3669

SHA1
a14ae3d5a892f45a84fe42491c5c12c265be8e88

SHA256
77be952fa83088dec44b3acada520e8ee77162d673dce29f449e56b0868ca323

SHA512
cee6c800c676b97da6b5ff2217c04ca1a916b20cc6172ab3f235588dd73d512ea159c992fb06ebffcd52b2386740ab7a279a646b87a40d3c10791c9a64bcfbc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f81e43907ac4749e4c6beccfb237ee67

SHA1
38ef4e14572bceda3009f99eacec7d6e46c3761e

SHA256
05f921f59948451764dce926a77fcf6431dfa99ff55a098e1ce602820e39b6d9

SHA512
9790abd491534af707f6628396b6eeb0275ae210d59892255f0bfc8c8b350a657e0c331097456f6098a334abdd930cc8c84df44a323745d14761e9615ddb6d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ac0c4ca018caebd20bfaa7012464887

SHA1
3a3467bbdb9ac004aac0d7bd81e02ce6c8e6c739

SHA256
28346ef2d531b955b3a7d238425ed4280bfdddded4610fd475905208717adac0

SHA512
c9a9db3940141bcd778cc3a495aae96a9bdaa2221d84d4ae4a98e8f6726d51e1100af0884450fb951a8e66e42e7439ff11626e6393e24f1247f1d3d0be20ff82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b7ab4d2026e6d163cfc802ffebbe84f9

SHA1
a780a7ed8eb8a99b25d907c715f1f6ab24c4c636

SHA256
d7573a49739b76c115e3e8442cede03e7894a3c02bb866804f70c7004690ffc3

SHA512
b3564f1cf2d3e16a78e7606c5824db8bb8dd7cb2bec914a39858af93a3ae676fa148948236a1caf251108e0efdde9ae9cc144439eb1e32b4d838da390cc8bbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0ea1e9611b77416fbe6725f76c11c89

SHA1
113c0907846b5a3f680ec8659d68430edb420a40

SHA256
23f21f87e0a02875fd3b268d86635fd0a353180000e0026e025ba032a3fbb8b1

SHA512
66160da9269e5fa09aaa4bf0f586f4e62be748c7419497d2ccc792707ed164a8b6b5eddddf733f57bfcf6128a7ded124b828134ca850b68e8fc0ef186ab9141c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96a8f89466b2413dc99d92b420b1d673

SHA1
b3d487046a1349c0f5cabc0434bc157abf461d4d

SHA256
cbed2af3cbc4116fe5e816c89058e7881ac292a5b1d624bbf6e0dc149b510e10

SHA512
68967aa7be977781e440ea3a30c4740197bc3397d32dbd14c870466ec2a00f6b0a6900644108b33c8e5975fd83aaab227240dbd6b5676950c4c18a983fe51d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
248B

MD5
3b4ee0733d9c08942b68ab3b86058b95

SHA1
48a6756d89c5398c386df0c39412bb9c9b020b90

SHA256
c184d01c42a69ba36b056f983d421e824cefc4efcae25a0b5b801070fc39376b

SHA512
c16b1c7e943fc4fa1f1a8542295c1e35d42eebd853243cd22611cdd2e7da5fd5b1d163c33a65c99e52630682160a590a1cbb9824bce4ad325ae7731b37d7367a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
1e222cf4ed1ea79531a269ac45c9b8c4

SHA1
02efa0647d766950c23264c3b2c6778984388308

SHA256
6c35ac255e2a24e4df2a2be63f54bba1c30a4502bf7bbb413a6407c70c13142c

SHA512
9a43087159ce85c278854b4637905b34254154f6b8e35713e4ce455a91492b0741416194af2badd917a443ba4c309e93bf6340959aa039a7777a44f223fd5b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13347979538736477

Filesize
8KB

MD5
f94787bfec2aca7c46da9eb4028146de

SHA1
e48466d7395e2aa5210820fccf5f300908d9428b

SHA256
e4b827c1b006167fe01dffa4e6b66001f03ffd25507fa09b072e43065cd9dd3d

SHA512
e0f1534bc68165da8426320ec3ecbd24ca0fcfbe88020f8b30d8bda26cb58122c9e042d066bd14ac7dcb62184d8ff066f4e8035d7b82f10f414fe2010a9d1fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13347979539429477

Filesize
808B

MD5
cf96ee1006a6e81f425432d65dd5776f

SHA1
7c2a7289701302e3b0d18d2872dbd08026c2dc3e

SHA256
8faf0ad3e15380a1237553532fbd79d6817a9bc62a343d768577508da5114943

SHA512
5333560ee3fb38d7c6904134dbcca463998458090c24aec2b32d17b6269fa20c7aeac9411f833e30597d0a5dc55266ce1cddf4eb665bf9118007140417620e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
69e8b5f534cea82fa15ebb39e1f01bd7

SHA1
9259a3ba344c030d837cc1040e3aff4053a4b7d2

SHA256
c9e4a6907ce31b24f4f91c7450156ffffd2ad347836df2bf50842424b4492c00

SHA512
bc6cc5678edde72de5ef3acd0717a9cb31596f8a318db86ac0e5898565faee9379dc7c23eb282e74d71778e5e31a947a27b3b8d71019eb84791c8c25be172924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2637525d6d3e30df032e2e9a81dfe412

SHA1
4dd5c635e374266563ca9672db9aebed11c597ac

SHA256
bd67d756a30bd0746028e965d353042a2e78e96c302327c0ee0dcc6663059711

SHA512
93a10e133215173bd7315933680b69e672beeaf7bb129fe6a193a300a9f121beb9560bcc6bd98140bec2db6ace21fce95aa407605c6311c583fde61caddec889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ddba9eaa7f46942ada7d4c9d80a3d4d2

SHA1
1496834f3597f4180f43fab9315c840a4067d221

SHA256
0f51046d477602a6e3b1f60004636e04ab361ec310caf7c953e3410af181507b

SHA512
9abacdb4f5cea73098b64e150b87cdb0530e32ac330ceba644f8c0a1ea3ee10b7fcb843d979793e6be3ca5c7b72bdaf9e17b2fea55f110fe2c45d3547e1fa0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d0efbd141c9e73a56fbe758fb9af0e38

SHA1
1891872ac0aad28c4dbb50d9b1ea9e834d8fb940

SHA256
b8d7d060db3e9f520ccce46670d2f051b9efd7d7b6de01c5e6491919e5b41fac

SHA512
a0708927e7ebb504f7725bd6fcfa63529e9ed30621c488ad67a3eb02e7f98f6fca6dd8961aceec743f6efd98acedf5a1889b45fb26b52af7ff371e8639bc08f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
763369fe56b6896b8c8d147f0db15c32

SHA1
67c0c9f93c3d4b0b7e4de7b8dda6273909d6cc40

SHA256
21c87baecb23d070172517564db8f8d4523f20d4f12e50539dff1ddfb8e8b7fc

SHA512
7ae089b86204c2c66b8df2dd7ddaf5a93fc8fbf6286ed2e978bd6103466edf0643165d34ced0ad7aab10941e0a14c5dc0487c036f9b91d8b6fdecc853ffe6be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d995b956b54fafdcfe0ea1766e0ef44

SHA1
06ae23718357d4223365074bf0dfa60297edc55c

SHA256
3dd005e0a6678e3a6d2872250c1969a3582937787b5d2bc3ee72d6b75c64061b

SHA512
ae833bf78f6281789a1aef39fa3aedca7cde450f0afc573470a067644123d8c264e9a17aaa7b9086384596d34b566abd4437cac5cfbd80d571d3229228723467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ff059b4c9a2d8a2df4c2921e2f952f5a

SHA1
f6cda34f3b3cf07ba23e3920058eb0fe29ac9a22

SHA256
dca4c7d3b5351a2631e2584ccd3d07defa74bcfa38861ea140391df523d9f2e8

SHA512
7b825187d8316fb6f7c43cfc4af9fb8a62487c84204f06b2610607ef16ce022ea635b4560dddf784adc2f8876939088ad622c0ee7362281622d0f15fa2407027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
42ad42da6a7b72110419d6849457cf85

SHA1
4973d164eb539534d7c3be2cd19a7cb6ea85b1cc

SHA256
ee0262ce2eed308a34ffe1cbbd2b6482d1e811d12659887b7f052358167b70eb

SHA512
f6f0fd4d67ae762f6c6d58009de4fdcf80612771fe417135c6eaab8209ba732ca62653b2029410cf7914113e5a8cb444a2c3abb98eff713395104d4cc0d8f976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
353e42630dced77bea3a6cea55b01e44

SHA1
4618e54bec160139b3ae9980cb9d51f3989898e0

SHA256
b0c1013880d617d6e7586fc5b346cee198047802881e839eb7b254d076100db0

SHA512
32755e1cd13fdbb882fb8de20f4ee1dcdcfdcb0aac793aba607d47d86c34fa1d3f67f9c1ad49888f4ab5d016e87ee66ba8c506c239030f60e46da41052d32004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6f0c211f35e1cae5c457f08d5f3930c

SHA1
020896b94d396763ac73cccba2e2f39ae4177dac

SHA256
875367b3d3df500682690b58e114ec1f6dba51d9e47e00e9c999f6f26b66c653

SHA512
e19ee91f93087d20cd51cc74af8e56599893bad95b95ca26b0944d55119059a1ad494fadca9186e37b6b9fd935b32d6396273f0ac4357a5c0987a252b8bfb854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
843a867861cf6f67d105839f3680b44f

SHA1
78d96d70be9950d92069d2141eb20c2dfba2ab92

SHA256
f3a3d777fe5c6992ce75932541edca6a479bb0e6e69ed8e9ef76d4b962ec1268

SHA512
07b1a1375c2e8dc783a8f398a28e42a24b5d649084c18da9618421977df5bcdfc08f956cf14f56af742ee547f12cad2863bb5080fdea0881c9abdcdf2c3e3bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29832aa596e88bba486cf8381f9613d2

SHA1
6fb6e589562dbdce67767b37cbc24e97ec2c7f0e

SHA256
d8a1dfa3157953a4367cc894c4c744dfe5e81b2c6a675ec0c2a55eb94709daa2

SHA512
26d28044d08037cd70144a61cbe4b68232a971b355c79a4f6624e89b6cd745d4c0ebb5079179bdd73f7d57ff62fd00f9ffb7ab2c11279e93863567050807e74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6aa0494f6ce4c6722bbc6475ac01298b

SHA1
9a3f573ea69e5cf669fec0568936d279f654eea0

SHA256
9a4ba0a14d146271e01b8248cf8c4d588e2eb7c495ab6ac32935707a65dd9d66

SHA512
eef5b7432d5ac0ddd842ece90d4f54fc9d6eb65e730836d2a9d6348030e0413637b38c90542c90f5ac03d69f164274f35754d840936e98b0960636c8c2426122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de5a0cbcd0f854fe56a37ac0cf65b33b

SHA1
3b68bdf82460058f96de0ecff9c308370412b704

SHA256
9a9415b7e5c3c568628b7d0914c5f50d0fd26854080acde9d4f7f161cf91d5dc

SHA512
c7483bb6dce4bff15740df98229dbd06310cdb3d91849a4748098bda92dc855f5bc7165fa163481048c1d67b7939fae16ec21fa99eae13e854a481a6b1201abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583042.TMP

Filesize
203B

MD5
86937052ce1b06175dfbc1ea9739f43a

SHA1
1ff6f032dcaadc9bfe55bba7edd7c646bc9f3ca9

SHA256
0bbec8b8d4eb621079364b50416c6da109a5141f87f41a2fd6d343cd40b451e4

SHA512
ca615046984707d9b73221b0039cf09c57cc149878e998b1a7471b5163bf994edc88df3dee4e7017a6532a49cd22c0457da4eaa523da0b85ba56bb08a4e06978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7980cacb6fc8dc152b73da9ee3e1fdb6

SHA1
8cbf94860fa624e4ed62723eb806e5744beb18c6

SHA256
1a2d9dcea98bd03f1c1bb2c19b0f2d9f397203f270b4ffcf6f738b03f1c3727f

SHA512
799543dde5004227236839536c3fb610209496a4996d36c18b53bdfe30db7fe7d840c54b1befc4e18cdb33cf614e46940928d7ef85b9d6836f2f0edee13b198d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b696896d-a4f7-41ca-a676-3c5e40abbb3d.tmp

Filesize
25KB

MD5
58e2b179dbb10d049fe23616966bfb2a

SHA1
b4f722b7e798fb6347837b51b05a4314a8219d84

SHA256
cb934e662ce5441a1fec40f63ddb8b828d7cf0f4a532712907064b377d2777c4

SHA512
ef3fbdd259151b0695369fae632106d190d2b9ac20b9854c5d2c23359ffde9469ea1736e7079264fd739ef3a214ac6ac8dbb9ab6c49184e5b5ebf9b8341c0c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
84771697e2e3d24c2884804cb20c0a5c

SHA1
23342d8c7deb6308f5d009f3356e3d1b54e8f53d

SHA256
37d56b40a0f49f28dd6bc97770cdbd08606772cc49be527ce85c154b74259efb

SHA512
a317df6f028faa84ee06a42ac184d6f9abd93a899a7048f45416d2e88c4e889fc4d08d526cbd92944c4595166b3725b3a1eb3d1c30758961923e4b24814c1385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
762KB

MD5
955daa582285751895c6d3c46b18ad33

SHA1
32af9196ab2f627746911530fd2d546b15ba151c

SHA256
6256c8893da9c1ac58545e299473c5341b497c9c1329f9a7476375ba9a45481d

SHA512
0527c6cecda5f976de84c7d556cd8bdba132213c388a0f6d9afed10bea2380d17546e7a3839edb670a1fe950fdcef0bd1525d68458dabd9784aa41da073cf591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
38B

MD5
51a2cbb807f5085530dec18e45cb8569

SHA1
7ad88cd3de5844c7fc269c4500228a630016ab5b

SHA256
1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac

SHA512
b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
9ec9669f46d481f8dedf72e06ef7d1d7

SHA1
acfe6137c44453203e920851f146f9685d4e32d4

SHA256
31f79adede24632229fe12eefe50161cbeed9df9da580c67ecf1279fe35c947b

SHA512
198daaf6f059912f9aac5a44cf912fc0c1117d72aa67a2d90cdd5d721552bd4124c03a8f94ef095dcaa63a826c383169d5fa6aac34c908fcafd1fe7337381351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
bcfe2134bc05012efb140101dfa17575

SHA1
a5492bdda81c29acfa9b9243edea6a7076f9ec72

SHA256
af81cd920806fc791dae81c3679f97556cb7af2798cb15b8ec833f90024463d2

SHA512
0dd1e807a814794d77adc081d894136eaa88187c871a7bc8755a6fd6311d64e46080fa44817e51d18e14cbb98949772a9113d91025dc5765dbc9fbb5c76df481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
fb5570c18e672390f5bf997b9421e152

SHA1
cf1441234f58b73c2238dd12f7dc22d4ade53de9

SHA256
b31ec88d2f33e3df9fe1b9e45d8c6728451c847757ac4cc85fafe51e2d252784

SHA512
134ecfc1810cc08b98881cee54a9ad9ab16da96611eaf7ca03d0dee2e38a40bb04ed633ebaf0ad8bb4cef6ab8769b1d2c87cf138a371701ec154dc27e86c87a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
48KB

MD5
d1549f3d83d80d0ec0fef2c53caab18b

SHA1
b6ad40adc31355537b3b058d9348c4b1b280c85b

SHA256
28efc6f35b6b3ffde0be33ed5501d22c5634808b6705ac7c60f61755757a2496

SHA512
953bcc1f71db326814a1bc93a2e65f7b24c49efedf16d0f68537f3e0f1196051e3d2c59ce2394cbe1aa60580900bc2f79df21c09d306f4708335c8b3d8aaaeb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
69KB

MD5
0b3d8f3b13a28edb3a95e93ef49800d1

SHA1
bbec11c6e0b3e633415fffbc9ad6aa77e6e3a360

SHA256
7ed636bd875f677333a1e884ccd299a95bea9ad093e7e5361ee024ade249f4b5

SHA512
6652094b4073fcf2a487a21676afcee28ead872a269b1e87c29c6e88fa30819d1ef7595edb28732767156492841319baa84cf2a39dc6f11885112adeb3eacff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
20KB

MD5
ef9588ca82f853399e5968af99985e74

SHA1
80d9df4f75c3e789ddf10584d9ff9de2b6154cb0

SHA256
9d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5

SHA512
a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f45377ee7ec71d400582a0c7af70a5a

SHA1
421c9a2a4cd93724669a26260c87eadd604c4eac

SHA256
d1b926ba4f0c499a8518973d52822a67219ac22e8c93a443fc4baea74027d84d

SHA512
518526f0f754e8899c8a5ab94472448f5a96b0cdd3866a70369d4c5b96bf103f16392aca759d237358259d3fdecef61a6e7f2fa812c6bba1b7d0d1e38b9b5b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ce45e4b61c83de42de498e853e7231a7

SHA1
3013aa1c82340b10afa4c7584e7fe84587120db7

SHA256
183a62fe2c4e8cc38e9bbfa3c4866b48800c63cbc50a2c878ba2d83ef56b2b4e

SHA512
8e1e600ef270473b27b957af454b966edeeb07b5f6690966cf55bf18605e029d5169303af0f3281ba1004f896be53e1ce8cd936775f642e5bd691203cc393ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e32ee249a37b0c0e9a81627e68f22833

SHA1
dd6cd6b24a3a96c8a95fd0ca059f1932e2ef50bc

SHA256
6312d073ce8018c76facb320620df0a442fb736f6e74d40c2d786194c45a5197

SHA512
5181ceb7c513870b142663b753577ea176f577aebd305fa6f48cbf52f4a87caa9db27e19c818491dfd101410bc9544ececc504adacca4fd9815c14b5f24ad160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
95139016d6acacf1b7d98c64289019b8

SHA1
c0a9b2d94059b6707f74e013890da4b4b338f127

SHA256
eb9d3191cb766419101050908c5f207a885a57b6946c2b0bf4496351390cc3d5

SHA512
7151868c739c51925412434e1f2ecfe3b5167362c17f441d56329d52cd9ffef1426fd11fe81d0f22cf73f3ffe6023f7e8abe7168a3c86a5648e72e2fba6b4b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
32f3652c9824f8b4c6ed4effcdf612c7

SHA1
b6ac6340938f6dd373ebaf50aa47d967fe7a7144

SHA256
f4074826d0128f2797657e4bbfeafcc4abb4eeb4980f0eb6efdd1148c134a805

SHA512
cf17be7a9635d62a446af5a2627659508cffdd6322af55e0ea0256e895320b5153b95768db71bc8984d10679d86527ce51d002e6115a1511ae2eb386761e2a29

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e0318545925262ee25623937bc30f43f

SHA1
dcd7b4f9513e205d046fcc3c42bce17f043851d4

SHA256
2233a96a9ee22402cbbc28f09a606e9856e3a5e3a9b5aa005a773481bd520b4e

SHA512
5a34b9e05e09e65775775f054f47e1f25b2246cffa6e18dc29521957512cbd415c184296664ce4ee48f3fc0be50ce4647bb6a1a5297214c8db7a6f912306b313

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
1.6MB

MD5
fc2f62ce6e0bccf7f357c000b2d7c448

SHA1
a9bd43c3a981c11172c43e657e1cd5960346c7d9

SHA256
0ab1eca20ea38dbf365eb51a7449f75fb48f8544530ba6e5b60a166e2b5add1a

SHA512
b0b721e55552f38783b2af1f7386b18ac54c270a0397ad92ac787ad3bb7b7e0b81c53d59d8cd2499109b24febd844a0e9dcf00216865ace5d850da860e59b1ec

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
2.2MB

MD5
3913543008c4c55bf913f7afdbdc98d1

SHA1
11dbaf3d2c63e23020a944c4e72788e00dd49f78

SHA256
a008e8ad0f23535b37252478c88c5c6a7340e49d7785405c29fc4a987f3928be

SHA512
e81f948101982983122988a38a9bb14e9733f37a7e978081a479a98088b23a47f510e2d50f28eca5f6cd6a75c4fe97bb0134ecad0c395d2cb13f1143f0dc7ef6

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\smb-ojjfqxul.zip

Filesize
28KB

MD5
fe6e12d64370922c2df628b35a6400ad

SHA1
2ec93948f6440f04ca57907faf6c437a52f9098e

SHA256
4d274e872953afd207ea60d339dbeb91f6c3cfe28deb8a65b7f7fc89989f5837

SHA512
f12bf2c948c0b275ea6b5175a0841e6c1e73f10b18a0e571825b87218675281e73af88e3b7f0fe007b22eba720a7f4baa2eaf04d12042910db96d97780095875

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.2MB

MD5
878144c264a9e3d26773a60f79309dc3

SHA1
36d9dbd89f0e15a30c005adb904876e86cdc311b

SHA256
753f2824e79f07cef78f469475cd301bba365f01c90dd80af06c633240a048c9

SHA512
894ada4b457b24ca7910094e71956495dbdcebe46f0bb32d040ecee84df87511dbf0947b8fd8ddb7bc6f9dec8df7c259aa1bb59343d145140e73a993ed0c791b

Download Submit
memory/440-1082-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4416-2471-0x0000000073190000-0x0000000073212000-memory.dmp

Filesize
520KB

Download
memory/4416-2486-0x0000000073190000-0x0000000073212000-memory.dmp

Filesize
520KB

Download
memory/4416-2467-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2469-0x0000000073330000-0x0000000073352000-memory.dmp

Filesize
136KB

Download
memory/4416-2470-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2466-0x0000000073190000-0x0000000073212000-memory.dmp

Filesize
520KB

Download
memory/4416-2473-0x00000000732A0000-0x0000000073322000-memory.dmp

Filesize
520KB

Download
memory/4416-2472-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2474-0x0000000073330000-0x0000000073352000-memory.dmp

Filesize
136KB

Download
memory/4416-2475-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2480-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2481-0x0000000073580000-0x000000007359C000-memory.dmp

Filesize
112KB

Download
memory/4416-2482-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2484-0x0000000073220000-0x0000000073297000-memory.dmp

Filesize
476KB

Download
memory/4416-2485-0x00000000732A0000-0x0000000073322000-memory.dmp

Filesize
520KB

Download
memory/4416-2468-0x00000000732A0000-0x0000000073322000-memory.dmp

Filesize
520KB

Download
memory/4416-2488-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2490-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2495-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2496-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2498-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2505-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2507-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2512-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2521-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2523-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2528-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/4416-2530-0x0000000073360000-0x000000007357C000-memory.dmp

Filesize
2.1MB

Download
memory/4416-2536-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download