cryptolocker | ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9

Analysis

max time kernel
1800s
max time network
1810s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
10-02-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

index.html
Size

1KB
MD5

84238dfc8092e5d9c0dac8ef93371a07
SHA1

4a3ce8ee11e091dd7923f4d8c6e5b5e41ec7c047
SHA256

ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9
SHA512

d06b93c883f8126a04589937a884032df031b05518eed9d433efb6447834df2596aebd500d69b8283e5702d988ed49655ae654c1683c7a4ae58bfa6b92f2b73a

Score

10^/10

cryptolocker wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 3 IoCs

Processes:

explorer.exeWannaCry.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5deb2ec.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF288.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF28F.tmp	WannaCry.exe

Executes dropped EXE 12 IoCs

Processes:

SpySheriff.exeCryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeCryptoWall.exeWannaCry.exe!WannaDecryptor!.exeWannaCry.exeWannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
2844	SpySheriff.exe
2320	CryptoLocker.exe
4740	{34184A33-0407-212E-3320-09040709E2C2}.exe
2452	{34184A33-0407-212E-3320-09040709E2C2}.exe
2512	CryptoWall.exe
1724	WannaCry.exe
3528	!WannaDecryptor!.exe
4444	WannaCry.exe
2816	WannaCry.exe
4732	!WannaDecryptor!.exe
1408	!WannaDecryptor!.exe
4032	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exeexplorer.exeWannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5deb2e = "C:\\d5deb2ec\\d5deb2ec.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*5deb2e = "C:\\d5deb2ec\\d5deb2ec.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5deb2ec = "C:\\Users\\Admin\\AppData\\Roaming\\d5deb2ec.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*5deb2ec = "C:\\Users\\Admin\\AppData\\Roaming\\d5deb2ec.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

8 camo.githubusercontent.com
32 raw.githubusercontent.com
41 raw.githubusercontent.com

flow	ioc
8	camo.githubusercontent.com
32	raw.githubusercontent.com
41	raw.githubusercontent.com

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
58	ip-addr.es
353	ip-addr.es
456	ip-addr.es
507	ip-addr.es
567	ip-addr.es
725	ip-addr.es
138	ip-addr.es
222	ip-addr.es
400	ip-addr.es
672	ip-addr.es
785	ip-addr.es
55	ip-addr.es
285	ip-addr.es
426	ip-addr.es
620	ip-addr.es

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2052 taskkill.exe
5056 taskkill.exe
3536 taskkill.exe
3168 taskkill.exe

pid	process
2052	taskkill.exe
5056	taskkill.exe
3536	taskkill.exe
3168	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-894477223-740240645-3565689000-1000\{985A4A9E-7538-4FC2-8BE7-ACC3AA986D05}	msedge.exe

NTFS ADS 5 IoCs

Processes:

msedge.exeCryptoLocker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 959241.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 927030.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 90599.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 796564.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4716	msedge.exe
4716	msedge.exe
2036	msedge.exe
2036	msedge.exe
2700	identity_helper.exe
2700	identity_helper.exe
4164	msedge.exe
4164	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
2396	msedge.exe
2396	msedge.exe
2004	msedge.exe
2004	msedge.exe
2316	msedge.exe
2316	msedge.exe
2396	msedge.exe
2396	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

2512 CryptoWall.exe
4396 explorer.exe

pid	process
2512	CryptoWall.exe
4396	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: 36	1656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: 36	1656	WMIC.exe
Token: SeBackupPrivilege	4792	vssvc.exe
Token: SeRestorePrivilege	4792	vssvc.exe
Token: SeAuditPrivilege	4792	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3528	!WannaDecryptor!.exe
3528	!WannaDecryptor!.exe
4732	!WannaDecryptor!.exe
4732	!WannaDecryptor!.exe
1408	!WannaDecryptor!.exe
1408	!WannaDecryptor!.exe
4032	!WannaDecryptor!.exe
4032	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4716 wrote to memory of 3960	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 3960	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4996	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4928	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4928	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe
PID 4716 wrote to memory of 4364	4716	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa8b2f3cb8,0x7ffa8b2f3cc8,0x7ffa8b2f3cd8
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
2⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
2⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
2⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6060 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Users\Admin\Downloads\SpySheriff.exe
"C:\Users\Admin\Downloads\SpySheriff.exe"
2⤵
- Executes dropped EXE
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 /prefetch:8
2⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
PID:2320

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4740

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000234
4⤵
- Executes dropped EXE
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
2⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2512

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:4396

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2592 /prefetch:8
2⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 299521707526277.bat
3⤵
PID:4644

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
4⤵
PID:4792

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
3⤵
PID:3856

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:2020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Executes dropped EXE
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1
2⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
2⤵
PID:340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6644 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
2⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
2⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
2⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
2⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6600 /prefetch:8
2⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14478110624914968492,11912126717742121360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
2⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b09c5d9d170124cc803af2dd5f23e2b4

SHA1
41a3ddbafd6f3062f07ec162679bfab95fd88482

SHA256
5e6d5fcfb3805ecd4d9388837551cc02c5452f03cddba1b29b23fd02686befd8

SHA512
8fd1752211ec074f85d0ee59f39bea6e639199602d71ec947940575a9c515dda96b1eed5af10d513e21373f64a6d03146bb3251aa690830110ff4c6c486b4036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22ba842d-21e5-454f-a663-46286b7b4f44.tmp
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d
Filesize
28KB

MD5
19516313bebd9146ebcad2a6abe445a5

SHA1
579cec4dff6f3850314fe11f0036ae6f5a07ae41

SHA256
baf4ea6741156c9873f77e272491cd3da1c0d63ab785b5dff47cb93e5d8e4dac

SHA512
cf1b8015fb2df7ccc8632d3d5e28e35040d0ef323acf0ebd612229a9f25e005948fd4804286d070f2d2b1f16a5f191bec85508d2c64a95d5530fce99a86bac23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e
Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
Filesize
1.1MB

MD5
bdab9a2e211c97708fdc8d5266c38ab8

SHA1
358ba06a657aef8487e09cf2879c122e3f10322c

SHA256
9d32b72ffc4603b321ac7711cf8da2c49cd17e93fab5c8a016b40b809ac71419

SHA512
0da69fa8c367df4cb17ef71d026bc866a4521a95440418357913b48f4402b4ef5d7e9f6ebf56ec7f08e07289a3ad93103e80649a839ec52c92970048948ae8b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
92c3ef9b867d12318188a370de7a1a8f

SHA1
0931dde3fe3fc8acba77a220ae5fb87a74227a27

SHA256
875dc5da43d03759ab07c64ec8adc24f7d16f4f539de2f8b9d7bf8e71675a742

SHA512
39a4dcf0b226e1893a67d7707832493028c578e2db173b3602c4be07802d3b14f259380b2e73e00c29b99a8f39042a1e96ce758134104b972dfb616085fdae79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
e731462eba01eef2670511e39f514510

SHA1
2d619cea326ece9a3a4c39c9f1d3344851027e5e

SHA256
d1025b7aac66798115fac13afef7da9d2b656f6ca62232f85e3e082ad8706093

SHA512
f4b318d6512135e4aba7ca5d0d44dd440838b7d475760ece2e2b40cdee3d286d0c578874b81728c469cebce3a7bd9394a2f4b905ffc49e0750ec16aac287cd6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
f6af22b37d1a3a645a7d078f38e19c63

SHA1
035165e989cea5ef1d5d673595207563588dddad

SHA256
dcf66ccfc245130452fdbde7fcd0018a93b756db830fc10eece9e832097f7bab

SHA512
368b623e3d114e7b88f127a61f349a109b5e0266485798e81eb43565ca19324a7003db0bdb3a5ec374c935bbac62a3dbc099bcaa650751814836f307784d6d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
05b443018b5e497ba2002750185bc8cd

SHA1
9b5f831c22336134dcdb25455815d3f1c45662e3

SHA256
959fe1c8262301e8467750a743f8b418a6765a1b54aafb0cb7396b234ccd654d

SHA512
a8e62962b05c0687e325d9bcb48062a4c72a68c1d83a8e6163b54a779c8e628b3a72342c4da6c22299a0491cf97a94ce84f9b4edaa06f0f74ef02b3db93aaf56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
566B

MD5
e85db21b6e06c8660f072ae91d026588

SHA1
810f8b1623e7fc6ec1640fea6b780862545740bd

SHA256
cac741b5a51582b94d456812e6fea48b20aceab76ccbe24849a89a1051df46d4

SHA512
bb66badf93deae6e2ea84774faf9d4b6d1312ff8e266dc49ae81e54b1b5e11ddbc7e3faa77be70ce77b28c73117732eb0e4a37e4ebf698b1bdb277877466b13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
649B

MD5
e5b47799c989b26f5654ba9045f0e027

SHA1
e208ffe6734719e2f8a258116895b8f28f147c54

SHA256
abadc42868dd54eced87160ff3d305eb3c3158c14987cd486b044cfae88d2823

SHA512
4346f0bd8beec7db2b93b91a9a14e45b1e406743f13a2aa5c9b0d1c701aea6be6735f39cc135fd0a9a6a9c57caa0ab3daf254ee9208e3a64a03ef004430ab31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
8d54739f3996a81280594e80b80a738a

SHA1
2cd1f18364c4388d63bf6004ba8f1ae133da3474

SHA256
ac2031eab68a90fb2643c5623f365868fc1ace5b232d9019210812737c43b226

SHA512
6ba3371a8e645431854293c640e78d3f77369ad502b62759cf5730121fc5b490e914d3c7ad38038415716df91c66ca599fa7e8dd4e7d550f721f288357b470a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
ae84af9e6f6b481a781a1dd1a1f54b86

SHA1
3836811cdb7114c59cf1d225e9cb4c687fd77782

SHA256
9424b4c2868c24754e803204b972c5c78c07f99353c09bd38ac06b3ff1ca3885

SHA512
1bddc8c154c965eb930e78631601f7ee82e1d8be177fb8483235307e05f49004a18e2c31150dcd3f3c420205d98dd5048187cec6fdd93ba09f49b3638e489d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a97576e1bfaeff6981e590e2afa2680b

SHA1
df36115029bf9e54f787e380af507b5e760861ef

SHA256
c0aa79c7391dce06ac71934de3c5d3ca13605b2f27af806eb55fdcef03a2c8be

SHA512
ccfb8cb5950112bceecc64fe7b3ac937f2c51edd9a7727b7380704dd405e9f5ca215c9e7b5b366b0abd8ea6378971861c636b4ed5b7cc3a14492c2a6527975e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
0e9067bdc8d30fbbeeac6384c59fc7ee

SHA1
2bc62bec211fab7bfaeb2cb6cba73f2992e9e446

SHA256
83a03639e9eff75ab687cf751bc8fba762c14d8eccd432946c10bdc8065a4fe9

SHA512
01040dd5ccb7b5cfb087a07775582ad069fa40c645647460e73c5170b15ad0ee4dd02b145ecc740defef773407d54588f85e4e8d9ff5d45c8fe5a598dcbc16b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7b06c235626626014cb1c90332940a8f

SHA1
fa2e124b454473af9d34d53b4873093c5d86978e

SHA256
b0d8c71937b4fa30fea28c691c26d78be4bc4fd0be77a88ec4da4adf43d66dc0

SHA512
b7b4f7c4e1d2015ae0c5a8725d572d8b85842fc3dc239c84353267ac16877b2566cc09c4640ca9252166296331a4d053a66e0469e3c65db03a1443ff49625e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f2bb0a2a30ef60ff7bf9c512b09410a4

SHA1
fc1c37db933e83b15f434b1400fc28e5c0ce765a

SHA256
fdf2ceea5758ecfec0dd1ff288d8ae0178b7da4315940b62178a398074ca25d2

SHA512
d1dab20ccf512df4d704a42e3ab7a176edba76602bf93519a2c867ec84919a15c8ed764c3c527e9eabc2566e02e0687ad7450663f0a1f40d521a1105e6148b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5bfee03126636eac276c2126514f0483

SHA1
465ef1168eda3dc0f8ca0ad2c7e375b680ec9a7b

SHA256
ca92f9739fa2b8a65859351b463fdfed29513b075c429521ae19193f8eabe6f9

SHA512
a5312e1d93ec90c8a0f5b27eab4e548ce346368e332bda7b29cb939593eaf64a1420950ede6b374956b8b76aa3d029451b7189834bb8232262963207a1528328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
91b5cf3525e506ec81c0ec0c4e02d921

SHA1
9d3e3d19700f17419ec9003c4b9b0394829bb3b1

SHA256
5ca05b590ec22f49cef2445e4c98e968d5790b2563d8e175ca4c8cf2f215fe66

SHA512
58f445e4c6ae1176b4a19c791872898613b78e2e065d79aadf34abb0ea7a71d5d9f39496b322348766e433492bfd76af43b154c237ca7514ae7a90210103ffbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5f026787d91d99e1a82043f1bc898064

SHA1
f4632b64808faf7143a07351888d3d5c84a24807

SHA256
140800ceed2fc39c9b5243e76df7771e008f4351fd3308afcacc1fdd82a046d0

SHA512
a43a6ad523a274b02218bdc62ad074a4e118823a899a96f548bcf0d9007ebb1abb8048e51388f4139833f0354bf82a7cfcf963b1b4ab4d11b7627cf2dfd916cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
88a19e2aac9ef33c61c2cd8a89dfaeb5

SHA1
828556c66ea80f56c3986bdbc751667c3a5c76d6

SHA256
3281f0c95485dfa6a3b259ddc780f6072a480283e57365ec0784a5e60921ae58

SHA512
4e6e9e5f1b347a111f6e1f3f24034c74d2d9d309f5c89b1a84fbf2374ffb664ee094e5204eea50341fc58f5cc0714804ca7c64c8d36aa7903e61286273ca251c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e2a4f1f7f60d29aa3e395c68bc240bbb

SHA1
be5d76cbb114fe1d6c258c1da0b702794ee48389

SHA256
11238b0194135f9395c68b7bac44a86e40a9a55bc856e955dd585d806aa0aad2

SHA512
73f5b1a86b659fe8ae0bad231b0c87c8ab34da8ef61ef2db7d6744e061b29196d69e4d6c6b3ba441c5006033608161df1c2624526b924fa54798535178972a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2229d343e7eab76eddc392d9a83866f3

SHA1
6fbbed17d15868ad018cc38af32a819822cf8776

SHA256
de70d7a864426130403165cdeea62c8bf211bded54fa8a8d2d30d43810248154

SHA512
699fb33501070000e6f340c714a36e7ab418d1337d0ce5adb787be5e521dd9a16331279ddb3602cf63b9d313f03e1b049ee63ed454b2cbe65217c71d594a1549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e82627ee93fc8c74309cfb92a1ceb948

SHA1
f1414a747bb98f7206ded75c12713cce4b4003e9

SHA256
f5cb7afff8e9405ca2c44f30f1f46e54288de123984e526c2f7225df26963b65

SHA512
f3065e171b34759e3d70efb0d9a5396688a617393227f09fed4ecf57c772f2bcb3e0499ada9d62b96234965e83f3de1013de676dbcb9b3d8a6e8f6592b4d4782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
c7092e044a47c593ef643da75dc6a456

SHA1
80e8bca84e362de86a7332742a62834ba887deb4

SHA256
18ac390cf8b5d7c5ceb90ce5e744deedc18be8e33c84e214bb64fbffd0686751

SHA512
b93ed015737a477a735c03e0cc884d746444d081dbb24d542ebbfbc2d30a5101799d2564733780091f28bf84adc3c7b2eadc265cb6bad6f26080abf63e0f085f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
8b6acb3c5f22953baa2c4b56a96dff6c

SHA1
632c201e37eb626920a73667b9398504cab456ac

SHA256
521399960fe1525c0627f8994e3c12e23338a58f1a7d7d44ead7c709ad5793cc

SHA512
53bb4688a006a54f9d268a3261ffcec09b07805bd0826f0d4704714b01613a37ac31ded6c3972c9eb541e939a1e91b1bac1d0bb06b6ea4c8e9ded0d9461ca375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
d3a82d4ab84af782fefa4d470dd6fbe8

SHA1
67cb5b0a6c5f9570a32ad5e752c299dfe2cec41a

SHA256
b8d89e360c344e1e2dcc998085f8ce834d2e408b6f7cfade334adbb41d527dcc

SHA512
4b780d239d53aef348a93f8b28d64937e54c32faa8d1eb64d790fbfcbb14ef22f43102b0b02454442cc121243e793080cd2344c4af479e7cc2893e686da43d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
2042241c754bc54543740e68daff54ad

SHA1
277883a53c040ac56cc24abc3f99490b08aba75e

SHA256
d3fa11620d54aba013851be3ca24606ac4efdb5c6a521e75d1a05dbfdf9de7d7

SHA512
01cb0ce036cb75b994c6cf06b31431d8685a7c43ae9ab420f9e6537128ca39b5f2a9e2e5082245ea60be8f3e5797ed49fc6e2255b67e39befa6348b220162fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bddd3d928b0f482536819fa5f958f207

SHA1
1010541f0ec41adebbc2735066a4d2c75e041250

SHA256
547d5ff13767bf4803ecf44f8474bf2466c1ed12e63ac7271bb988f6e83ea6b8

SHA512
75e8e632dbc6dda8e946860b9f57402939415a64f8996f3bb361bfcee58a9b9f77edc3ebee6aae57731f32900c994085090b11446b2bc19ff35e94c8f11a896e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5e116502a982bf234ddb835a0275594e

SHA1
76607c891046eb203ac6455c7fbcffaeb820266d

SHA256
a0cf91ea8751a55befdfffdae81868a0fad5cb24ba8a914af15a6677c0bf646a

SHA512
d48d03ebaad08425dce08156db7bbf1422598a9670750115e43910b25de254e82f38c2579282ce5d75e7d3954f2cf46a37c69a662acce085d0d4277fd2b749dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
cbbc0e94907bcc066a91ad62174d59b0

SHA1
ed926891003769c840cd2acf2e9f5404055cd6aa

SHA256
03465a0cba03133b343cc23599e633eea7fd1ea0b60f52aeb217db8254537f67

SHA512
c65f36af24659a96b3f522f97c59bda9c5e088565c59473b97be280220103252e4df3e4c55fdd1843163bdc66e6e125a4ae6c2fed9584529fd442519e001411d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ce4798b718ec5806b16b774d5ca70db1

SHA1
6225cf249156c805a661b500f05747703fa7b78c

SHA256
61bb893212be0d93db12dc8c0c3a4412fd595541505dd4aad12a2046e7e520a2

SHA512
0db29e8d4da8e8c6ebc08b3f79f3efacc60de8b7917eb392ac13619edafc466b1cd58f5bccfca51dd4cbffc83b3bc195d57da1e484f8fc29f8fce81546e9a59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
63a7e8c51fce11f7f80ef8dd357c6e41

SHA1
643227ea99b330be855ac09480e02eb49866bad6

SHA256
57f19bd228114b9c18731deee91979ef4a2e1daf7cd40c0bc16963a6c4eded1e

SHA512
eaa7798396d5739cef2cc4ee8117b1f007cc37aca8668eecb096e9f18d556539f7463fcec0fade826dfb8189946fa946fe709d2840b58db1b71c6812f74f040c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7e1cb8954f7fd8a075a0ed8b70170790

SHA1
7e46ca840d578dd4cc975565c0f43b42974160e8

SHA256
efa5da31409070be18335296114372b893e582ac6d9098167ee156f0970649a6

SHA512
1a03000df1a7d0e081460b164f09e73e10d7197538ff5403f6aaf71a9c095edaaa85a375a84c643f196702019c739480ce6c528a9d72f42fd23c1995c02ebf3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0254bd6648bb2d5f95bc84fd0267d1af

SHA1
5375bcdea51dff90fca16ee7034689c428820144

SHA256
a5eabe794cf6897f2a4aa54f933699d4608c9caad23ba5e9b178bdcbc0d39eae

SHA512
ec1fb23354d8153820beedae156d4d77843485953f167e7e2e48156cc6c6a2fdcc7130be73030b3fd23ac2ec6f73c68c3a11765417548059eef40ffa89a8473e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f04fe1f0912a7ada74ab092f5a777504

SHA1
655764dcdd085145ec243947c76d7458d68d4c7c

SHA256
ca01fce111bce3c907fc28525cbeb98711db11f074cd4e6e3c8f0791f2bc37de

SHA512
7bd674c37f58d208f62b7b6cd7c640f2f4006de87b7f192ca091fc160c13a3f121f8a3cfe8298a85e192212250fc97fd779d99de1c21c9d9305ec2717f3dfd66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
16dd3e0774d94fe4c7eed8a4e7af8ecd

SHA1
66fc6784027496e61032fce7633a23a1d7bac39c

SHA256
c093f0053c50c2579a32db839ba3b2036033a9c939403dd8bd07aa9d23dda22c

SHA512
7b074ed9a485f3fdc57ddee46f8d8c7de3760caa5d4825880903488a2646de77c09a0c8ce546f540b88da9aad6946a500084575eed98a3ec067b94f1456266c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
02f7a1f959487a6e84a60981e97f1985

SHA1
c83d9b2a89b35ffed28bc23ec0867fd6e5eaea68

SHA256
ae0a1b338e16a4b1e9e1a94470b96763b9db05904302bf6ba2d493767568da2c

SHA512
5ff622fc968e858e39b731574131781f85abcb2d3a65e0afa090c445f76b715883ce4d076d8eaf8ae5a14321cb2f483cc98c0f394429b2434a0962753bcad424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e951b35aee9e550544fc4ed3110377e3

SHA1
6e8c2971e5e2f11cba415555f9a02f2f97230029

SHA256
fb124c3865f71adedce876d15bbec9c520ac03339b36a1560af1d5c04c3c9d08

SHA512
96d4e8719fbf243a8daac44ca0b785731c81b304ccee5004145deb90719ddaea362879f13b6b0f88001718d4ac4abf1a890a4cd4ccb0930a7e9d7723c1982c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f7289c83ccd8bce83159bd26ccf6d2f9

SHA1
2b8bbbbee8c4f9cbca1df7e1e0f2c4b987e91cf9

SHA256
830083cad2156346aba76f01c2bba607befdfb79486134ac99677bc8f84721b4

SHA512
eb7d22ff05e0e7fe039d33a76056bc41bfa9aa1e7fc16037de4c1497250a12a373b7926951db6ec06033fead60e3313205000b52df201c9197d1df3673fe2093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583e8b.TMP
Filesize
1KB

MD5
e6df7e065ad6146fbc407e8e7643ef63

SHA1
361fcf60a0760a2e2a120153a54967fc09a149ce

SHA256
3a9c2d517eac0d3d79b615d42582587d58ee37cb14a35857c97210c821e20e81

SHA512
8b2baa24b4eef0a2b277f70c4316130923609279df08996ba46a8b8cb1ae59a20ff958e8420c3540eec21a40afb7ef1fc1c1ccd1235cdb556e2fc2aad590f390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9c32ea5abdb59acc475a60d6b99f1e77

SHA1
e0a983f875539f7127c0e16e54e058cebf902af6

SHA256
aae5ed2c036ad23dad56612b0b0c55d5993d475953c7015e734cd7de81c5e8c3

SHA512
8615fa342bb4e6074dd0dd2f99c7515f0a7d179fdec4190d8c370842d41fb47d3324bdfdc1b1542aea17358bdb3a67202a99d48116569d7c31de755b7b7b3a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
dd41ded84dd2a652c5557649e74f2ec7

SHA1
3a096ebd70f6c3359c46ec0caaddd061396c6ce8

SHA256
ee37cf2683a9026fe482fd2aac216ccfdee7531d5d9565dc14adde9e65011735

SHA512
2468454d99cbefdcd1ee4c326f7604b5ddcdc973020e57e162d7727db329ebbfe0b0b027adafa7bff41945b19831376c54c447cb6f141d83b9136c5e3d49670d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d69e0ea29b98fc592b1f7ebf11e26fd1

SHA1
d0feb0e55f1223cc9010961777aa6a4534f7a136

SHA256
2a40a2df622d77fda7ad8ad2e147775e47187c44a94bdfc62ba69fc71843f2da

SHA512
39815acdbf18efe9a611d01f68a6d50dc2f7c7eaf38119e8333e72c1335b420d0ce630b145bd1a3fd988685bbaefc4dbe20ba54c9f35310cb660f9461a3c308b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1e0debb30c41a65bfa8fc56f7fa6269f

SHA1
d770f358c403396891f202b0ff1fdd56a6ee87cd

SHA256
5c6a539907f4441ead481cc91fefb99ed988160b3e5f8b522aafd6d9f1164a38

SHA512
7f716d42dcf7afcc97355d7beb3e47d7f995350eb26a409ff80a273c3a8de51db49d26182e6befbe30b357d7836f6c75001528369bf4af4233a82800ad665260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4a7ceff7a16bb820a2fa92e1493f5d16

SHA1
1a4cfc24184c95e3c7dc0f2099052d8d83b95064

SHA256
89cfdc13784fbb15d0b306ca506124d0eadfba4bc5b0871d49f375a1659cc222

SHA512
605326e5d0088c7d3c26ee6528c29be3ef0cedb79d01b86737fb701f669addd78a3d6da59d776b95b6a1a1fdaf5ceb481654bd352dba1900e9e3f6b660e98e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a6c5ef4e625a32253ab76dcc8ab2f4ca

SHA1
cc4b14464e25e677004b9e18189811ae94d5e0d3

SHA256
1919998acb5dd5e55c0800d5e0b074a6d715d8dbdd9af243208669b872addb19

SHA512
4551a3500ad72cba6ce7870371c4b4127ee4897e8f5dd1e215853731c73b34fdf10a63b88a92a1f9d8f0d4577c1d541047a41e4936bae94cb871d6f2f6933695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
64f9898419d666006f8fc4ced4121cae

SHA1
e3c5d3bbd3e1b3682d0a171bc064a8719e1f4410

SHA256
7ff50f10836b9139899a9d7892c6e36dfcb2a612999aeb45eaf208a3e2c7c7ff

SHA512
13006601cfa310e9385c17823f9b951bd3ca0ba9c4af02ccbe7e7459b373816083362dc11f56177d9d9f4b088503fb6904c79e493e7b2c7a05eb5e28c0c4d0e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
12KB

MD5
e070de2e84133c431cea2c7c2ff7515f

SHA1
dcb0c89a079ac49afe79b8425c8b137ecd50b9e1

SHA256
fbdaa6c16157d1a2bd00c133eb35c7b773192d8b45656b64281c0038b63b8022

SHA512
177996caaaa542ac55fe5a8a0d7a5109adedb4bc15b728c2817873ce57c077d0e9529010eab5fd36a290ff942970cad1769fe7099257cf99f7817f226965cfc4

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
Filesize
590B

MD5
2850b4812f18eadb65664becbb1a1991

SHA1
8e572eea9058cde5308868d117653d22d197182c

SHA256
31250c1595fc6c7a54e678f93b72d58541cc7ba2aaffd54c8649070736f1233b

SHA512
b18437e5ac1ba1fa2c8371b70bd36720791c6e826bc6c9a88e3f73988917dd6c4e11113fba13e695bf7e428a761722862ec6bbe167a848f8c7329f0dd044a18c

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
aa3a553d7a9928f8e96b9a8cd2158e0d

SHA1
eb57ecaa6e13252bfeabebdcaab3addc3260c86c

SHA256
437e1f11a0c01b24c52247246f3a8888a299ac07903826df84506e7e35bd4f7d

SHA512
85535560a5989224b5135000912511e5c9416309ef7a4889565d97f7a54e0968e39986f08530bb85cb3ceae233067c5e38fb8b07236a97bca3fd528038b5b6de

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
3e8b38f6a7755f234166bda5e448a55d

SHA1
262ff7ff9c99f92289ee13ad3d2f5ad3b3003691

SHA256
1f87e62fadbff58d765eaaeee69ea71e93da36433326f8953d5f852e403763fb

SHA512
170979bfcdea98635b7227b26e604fdb0d2770d028e6b05a9824be366ea66356fa4c11b2f634cd0933a182735ccaa9b0de1bf2c39ca474b0fa0f8beda7cb5217

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
38e4e4e196b0637a9d6ba3938da47ccd

SHA1
3e9148cd81a084c800ebbcb906871a28deea047e

SHA256
8acb14967bddbf781fced41eace9cd8652b9cc2db0fd2e445174cd75c579ef29

SHA512
2dd92abce7d3b5c7968a3f48cc0b348af2abb950189e497edf7055d1be6cf0b6a8f85e7ec3bdbd68181e81a3db2ca9c3c2b33fad1fb063e4daae6c6a73ebc00e

Download Submit
C:\Users\Admin\Downloads\299521707526277.bat
Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 796564.crdownload
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 796564.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 90599.crdownload
Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 927030.crdownload
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 959241.crdownload
Filesize
48KB

MD5
ab3e43a60f47a98962d50f2da0507df7

SHA1
4177228a54c15ac42855e87854d4cd9a1722fe39

SHA256
4f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f

SHA512
9e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f

Download Submit
C:\Users\Admin\Downloads\c.vbs
Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
c37a9eee8b8bd1652f9163c16e92f192

SHA1
aa3344f30a79ecd2c9ee21552e7e5e86a6ac3146

SHA256
6029ccb07cdb9cd69a410e6fe535f84f3e726b8c2f8b1a39d715a7872c198458

SHA512
1df25e9509d21f6bfe4e0e4bc0f0b703d063a9be899e5c4fee1ee123d3bfb538b6475392649a677d0d7f844ce8581dbc73755ad571057a4f76368fc5a841ca10

Download Submit
C:\Users\Admin\Downloads\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry
Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry
Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_4716_ARSXRSWKNLXKEZWU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1724-776-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2844-484-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-481-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-483-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3132-728-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3132-693-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3132-695-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4396-688-0x0000000000FD0000-0x0000000000FF5000-memory.dmp

Filesize
148KB

Download
memory/4396-689-0x0000000000FD0000-0x0000000000FF5000-memory.dmp

Filesize
148KB

Download