wannacry | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
1050s
max time network
967s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
01-04-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

@[email protected]

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Control Panel\International\Geo\Nation	@[email protected]

Drops startup file 2 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC8AD.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC8F3.tmp	[email protected]

Executes dropped EXE 64 IoCs

Processes:

pid	process
1600	taskdl.exe
2872	@[email protected]
5080	@[email protected]
3968	taskhsvc.exe
2176	taskdl.exe
4224	taskse.exe
3500	@[email protected]
1316	taskdl.exe
968	taskse.exe
4336	@[email protected]
1432	taskse.exe
776	@[email protected]
612	taskdl.exe
3492	taskse.exe
4620	@[email protected]
712	taskdl.exe
4720	taskse.exe
4144	@[email protected]
1220	taskdl.exe
2036	taskse.exe
1180	@[email protected]
5096	taskdl.exe
2244	taskse.exe
1468	@[email protected]
3088	taskdl.exe
2984	taskse.exe
196	@[email protected]
804	taskdl.exe
4744	taskse.exe
800	@[email protected]
4828	taskdl.exe
2416	taskse.exe
1432	@[email protected]
2732	taskdl.exe
4976	@[email protected]
2124	@[email protected]
2352	taskse.exe
532	taskdl.exe
4544	taskse.exe
168	@[email protected]
944	taskdl.exe
2232	taskse.exe
4568	@[email protected]
4128	taskdl.exe
4852	taskse.exe
1460	@[email protected]
4624	taskdl.exe
1604	@[email protected]
3384	taskse.exe
5040	@[email protected]
4304	taskdl.exe
3748	@[email protected]
4828	@[email protected]
3596	@[email protected]
3444	@[email protected]
372	@[email protected]
4424	@[email protected]
4496	taskse.exe
744	@[email protected]
360	taskdl.exe
1504	taskse.exe
596	@[email protected]
2716	taskdl.exe
3032	taskse.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2352 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe

pid	process
2352	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tnukswkuxomcee584 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

Processes:

flow	ioc
29	camo.githubusercontent.com
32	camo.githubusercontent.com
116	camo.githubusercontent.com
118	camo.githubusercontent.com
145	camo.githubusercontent.com
204	camo.githubusercontent.com
114	camo.githubusercontent.com
119	camo.githubusercontent.com
122	raw.githubusercontent.com
201	camo.githubusercontent.com
224	raw.githubusercontent.com
225	raw.githubusercontent.com
33	camo.githubusercontent.com
121	raw.githubusercontent.com
146	camo.githubusercontent.com
115	camo.githubusercontent.com
117	camo.githubusercontent.com
120	raw.githubusercontent.com
199	camo.githubusercontent.com
226	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 15 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exemspaint.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2956 vssadmin.exe

pid	process
2956	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEbrowser_broker.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d8b8756684da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043558b25e9f5814eb5b553d52bbc34a7000000000200000000001066000000010000200000003998ab119b9c4efb417c9973bc96055115c70da191d802d9a5120be79b9f6409000000000e80000000020000200000006f1ac45fe8d50b56a93bd6ed04ab8a0bc8cfc672cc3270b6170cd2ab5affe36320000000db9a57c35b941e0fe4eb793e95827684d4f75dc44443b86515cf319670bfb3c240000000e2f21aad1b3aa0bb300eac51376fffefa935efdaf160e3c08c1ae3d1dd2f83f0f6528bc51b56e71c77a6c209742c9421da7161ab1607a8e23c5d6c4d3e84b3d8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d828766684da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043558b25e9f5814eb5b553d52bbc34a70000000002000000000010660000000100002000000043bde6b856c87a29a8869e1b327f499d20b1975db037d7faa6977a8acbafa23d000000000e80000000020000200000008e72f43e0492e004868e4925a0444be53b0551395b7f1660ed7a33ac15041e492000000021d7fda84a3dd78f5171ecbe25f49ebec7500585b535710b83cf6e65f85a594f40000000b98be3e4f35ed1026bd063e9eaa71238d1bbaaf1def3af5e19ad91a5302cc886f1f9718e98a060ff01e6039026cfa81eb6b75a7c3424eb19991d65c436350135	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9ECF2BA9-F059-11EE-8AA1-FE175573622D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097958"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1933809754"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31097958"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1933809754"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "21"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.msn.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com\ = "101"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "37130"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "1280"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url7 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "2152"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime\url6 = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "60"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4756 reg.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

taskhsvc.exemspaint.exe

pid process

3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
3968 taskhsvc.exe
2272 mspaint.exe
2272 mspaint.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

836 MicrosoftEdgeCP.exe

pid	process
4756	reg.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	firefox.exe

pid	process
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
3968	taskhsvc.exe
2272	mspaint.exe
2272	mspaint.exe

pid	process
836	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 30 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exefirefox.exevssvc.exeWMIC.exetaskse.exe

description	pid	process
Token: SeDebugPrivilege	4160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4160	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2688	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	2688	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4288	MicrosoftEdge.exe
Token: SeDebugPrivilege	4288	MicrosoftEdge.exe
Token: SeDebugPrivilege	1120	firefox.exe
Token: SeDebugPrivilege	1120	firefox.exe
Token: SeDebugPrivilege	1120	firefox.exe
Token: SeBackupPrivilege	4404	vssvc.exe
Token: SeRestorePrivilege	4404	vssvc.exe
Token: SeAuditPrivilege	4404	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe
Token: SeSecurityPrivilege	2724	WMIC.exe
Token: SeTakeOwnershipPrivilege	2724	WMIC.exe
Token: SeLoadDriverPrivilege	2724	WMIC.exe
Token: SeSystemProfilePrivilege	2724	WMIC.exe
Token: SeSystemtimePrivilege	2724	WMIC.exe
Token: SeProfSingleProcessPrivilege	2724	WMIC.exe
Token: SeIncBasePriorityPrivilege	2724	WMIC.exe
Token: SeCreatePagefilePrivilege	2724	WMIC.exe
Token: SeBackupPrivilege	2724	WMIC.exe
Token: SeRestorePrivilege	2724	WMIC.exe
Token: SeShutdownPrivilege	2724	WMIC.exe
Token: SeDebugPrivilege	2724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2724	WMIC.exe
Token: SeRemoteShutdownPrivilege	2724	WMIC.exe
Token: SeUndockPrivilege	2724	WMIC.exe
Token: SeManageVolumePrivilege	2724	WMIC.exe
Token: 33	2724	WMIC.exe
Token: 34	2724	WMIC.exe
Token: 35	2724	WMIC.exe
Token: 36	2724	WMIC.exe
Token: SeTcbPrivilege	4224	taskse.exe
Token: SeTcbPrivilege	4224	taskse.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe
Token: SeSecurityPrivilege	2724	WMIC.exe
Token: SeTakeOwnershipPrivilege	2724	WMIC.exe
Token: SeLoadDriverPrivilege	2724	WMIC.exe
Token: SeSystemProfilePrivilege	2724	WMIC.exe
Token: SeSystemtimePrivilege	2724	WMIC.exe
Token: SeProfSingleProcessPrivilege	2724	WMIC.exe
Token: SeIncBasePriorityPrivilege	2724	WMIC.exe
Token: SeCreatePagefilePrivilege	2724	WMIC.exe
Token: SeBackupPrivilege	2724	WMIC.exe
Token: SeRestorePrivilege	2724	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exe@[email protected]iexplore.exe

pid process

1120 firefox.exe
1120 firefox.exe
1120 firefox.exe
1120 firefox.exe
3500 @[email protected]
2676 iexplore.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1120 firefox.exe
1120 firefox.exe
1120 firefox.exe

pid	process
1120	firefox.exe
1120	firefox.exe
1120	firefox.exe
1120	firefox.exe
3500	@[email protected]
2676	iexplore.exe

pid	process
1120	firefox.exe
1120	firefox.exe
1120	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4288	MicrosoftEdge.exe
1376	MicrosoftEdgeCP.exe
4160	MicrosoftEdgeCP.exe
1376	MicrosoftEdgeCP.exe
836	MicrosoftEdgeCP.exe
836	MicrosoftEdgeCP.exe
836	MicrosoftEdgeCP.exe
1120	firefox.exe
1120	firefox.exe
1120	firefox.exe
1120	firefox.exe
2872	@[email protected]
2872	@[email protected]
5080	@[email protected]
5080	@[email protected]
3500	@[email protected]
3500	@[email protected]
4336	@[email protected]
776	@[email protected]
4620	@[email protected]
4144	@[email protected]
1180	@[email protected]
2676	iexplore.exe
2676	iexplore.exe
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
1468	@[email protected]
196	@[email protected]
800	@[email protected]
1432	@[email protected]
4976	@[email protected]
2772	MicrosoftEdge.exe
4968	MicrosoftEdgeCP.exe
4968	MicrosoftEdgeCP.exe
2124	@[email protected]
168	@[email protected]
4568	@[email protected]
2272	mspaint.exe
2272	mspaint.exe
2272	mspaint.exe
2272	mspaint.exe
1460	@[email protected]
1604	@[email protected]
5040	@[email protected]
3748	@[email protected]
4828	@[email protected]
3596	@[email protected]
3444	@[email protected]
372	@[email protected]
4424	@[email protected]
744	@[email protected]
596	@[email protected]
2600	@[email protected]
3632	@[email protected]
4536	@[email protected]
2880	@[email protected]
96	@[email protected]
1808	@[email protected]
168	@[email protected]
1856	@[email protected]
3712	@[email protected]
3040	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftEdgeCP.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1376 wrote to memory of 744	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 744	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 744	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 744	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 744	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 744	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 2688	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 4336	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 4336	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 4336	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 4336	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 4336	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1376 wrote to memory of 4336	1376	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 4684 wrote to memory of 1120	4684	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4144	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4144	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe
PID 1120 wrote to memory of 4720	1120	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

364 attrib.exe
3168 attrib.exe

pid	process
364	attrib.exe
3168	attrib.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/Endermanch/MalwareDatabase"
1⤵
PID:3712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.0.200351242\1247508057" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b0f2c3-644f-4611-ac6a-2381fec2a603} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 1792 170f85d5858 gpu
3⤵
PID:4144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.1.1950117714\1543839667" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3aae897-c148-4de7-9d5b-10195cea29f9} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 2148 170f80e5958 socket
3⤵
- Checks processor information in registry
PID:4720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.2.1840879031\267276881" -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 2608 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78c408d1-b3df-4c17-8c2b-04e98065151b} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 2864 170fc503258 tab
3⤵
PID:3216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.3.2067728369\1664162057" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2024309a-2edc-4c7c-a831-687d939134e3} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 3504 170fac1ab58 tab
3⤵
PID:436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.4.1467871473\2015820799" -childID 3 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dd4229e-924a-4336-8d6e-5137138d5b25} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 3536 170fd6f6058 tab
3⤵
PID:1852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.5.543013916\1796064318" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4924 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a21949e0-d49c-4065-ac23-d5cf2ff900b3} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 4944 170fe3f7b58 tab
3⤵
PID:4300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.6.986518899\115869028" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {920f9960-e8c0-4b11-b658-386611b55456} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 5068 170fe6cf358 tab
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.7.908965599\990849644" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5276 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dbccd9a-8329-4d7d-95ef-bf3d537653ca} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 5252 170fe6cde58 tab
3⤵
PID:3324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1120.8.1676351361\264312700" -childID 7 -isForBrowser -prefsHandle 5796 -prefMapHandle 5792 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68dbce89-787e-4908-980d-3bd697fd9523} 1120 "\\.\pipe\gecko-crash-server-pipe.1120" 5756 170fdf36658 tab
3⤵
PID:2232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4704

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:364

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2352

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7951711997622.bat
2⤵
PID:216

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4648

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3168

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:3808

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2956

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Checks computer location settings
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tnukswkuxomcee584" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
2⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tnukswkuxomcee584" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4756

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:776

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:612

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:712

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:196

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:800

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:532

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4544

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:168

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4128

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3384

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:360

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:596

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:96

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:244

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:168

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DisableInitialize.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:776

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2272

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2676

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:372

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
e5f6313afae8e328523ee9ddf6cabf19

SHA1
e4a54aef93ae6366f36f199de4e2c0733fe1ffdb

SHA256
4ae79b86fe2f766662fa5c042f831d1e0815a5d15a96d5554bd0ce3409733426

SHA512
1d435e0625a3aa93bc905e1b12130f0ead9be7ae4feb5949d485050913cdb86790982671b25aa23765bb39ea884e78980d96435566c7ce48ada1856c2a4c1006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OBUH2B2B\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\42JZUUPK\Y26LIcmRz0EdnBtSjtN2P4pbrp4.br[1].js

Filesize
7KB

MD5
b3ca28114670633e5b171b5360bb1696

SHA1
683f2fb3d4b386753c1f1a96ede3ca08547f0e02

SHA256
a8b7da1f71211278c07582aef2f3f2335b7de5076e5708db6e868ee6cd850490

SHA512
bf71ac8f59653b8035c1fb8555b53371610ae96c1a31e7bee02b75deb8e46c68b46a29dae360c579bcf9ab051f5218edbd075567b99a9fb894e7c50251676677

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\AEWHOr0nbNJBoO_0Tes4sHAPPlTSTl5Uc1E3B6K0ZTs[1].js

Filesize
17KB

MD5
991d5773f9ab926015d7a1ad6409560a

SHA1
6a2c9b01ca6a2e5e9ec9a56423d77b6fd8cfb501

SHA256
0045873abd276cd241a0eff44deb38b0700f3e54d24e5e5473513707a2b4653b

SHA512
54e21fea218280e0331f7bc291fdee07abbe2604974e8ada4c5e495c2d20e3f1f1649f3a22bb07d0d5b4dbf19c4625d96c0907db836ad3deaa86dd953b1133af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\Endermanch[2].htm

Filesize
207KB

MD5
d6692d46ad59dae748d1ab549f4e619e

SHA1
c8273f41fb97080fc6bbd7ea5ad7e95be89ddc57

SHA256
60a5a243b3409a9b2aa2b39d556e21c8ab98273d2cc5cb963252c00ab14fc9bd

SHA512
2f347d4f4a0ea98398ebb947eb9ebe29bf91bfe8ec311f5bcfabbe986c211fa059f0726ac91c51baa90e01f58e7cbb95b71b1dcf97b1c412c25aa28b56f77e78

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\profile-f2ef6325cb5b[1].js

Filesize
28KB

MD5
dbe5bb4d5ca338182367255c7298f87c

SHA1
3db60451e925483d4d029403b5c29371a6759b3e

SHA256
fd37d10bd71ff85559e953a150797b0b12aeedd93232a8394c0a68974550d16f

SHA512
f2ef6325cb5bc666463ebb91ed07439f1e494115adff4689ae735d0da51f129618caf740477800d12276eb0601ec23f8efb8b42cd805c8ccc3dd8b9d5c510862

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_remote-form_dist_index_js-node_modules_primer_behaviors_dist_esm_-7fa5af-f0c4158b1e20[1].js

Filesize
25KB

MD5
688fdfe93e47a7e419cbab83cbbc71df

SHA1
32181ea83fb3b9be1832c8a4f0b736fe1849bef1

SHA256
8202f3cbd73679bcc6f68d66acc757116f0456b380e2a2041a003f2f1142eed5

SHA512
f0c4158b1e20d67ec821575ee25b483f89cfef1c4eed2f23fbe519113c349cdde8d88bb28a78d42c88326a3a4990be03f6ec28cbfc3430a6f47f2afa308af53b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CSJ9TYQL\fRSNKQanUHk53F1a1Bi8UA71Qt4.br[1].js

Filesize
289B

MD5
9085e17b6172d9fc7b7373762c3d6e74

SHA1
dab3ca26ec7a8426f034113afa2123edfaa32a76

SHA256
586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

SHA512
b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\profile-7060b040e181[1].css

Filesize
11KB

MD5
74f5adf9d5df9e73ef0a96078c744a89

SHA1
40ae42e2e481f0cbe0804d6f79aea43868e4a180

SHA256
208385c2b14141508b3c6b0012cba013aab0ccc268c31597d4ffede9e9ad1ac0

SHA512
7060b040e18186b1f5d7433677ae81d51efd9c0c9b0306a10971d4ec1162b64e6c3be2835b842d1334a4f818694f339579e98307f3b099634def84cc06e6ca24

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\recaptcha__en[1].js

Filesize
499KB

MD5
48c590d47c8b1868cecab334e9a34cbe

SHA1
5f1a9f94294ec337f657ac2ebec1c74e097ce5b3

SHA256
f3756825df5194a174b7a55ebd3b484c276766eef21343d34b053b98ed386801

SHA512
24b9e42bcebefcb81d2dc8760256a63e84846c2a49cee2a6b3904eb5dba4551dbea599e0892c7fa6674e32d6e047ca31b396add5467f6d3fadfe8f9b3a72a6f2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\warmup[1].gif

Filesize
43B

MD5
325472601571f31e1bf00674c368d335

SHA1
2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a

SHA256
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b

SHA512
717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\J3H6RAGL\www.google[1].xml

Filesize
95B

MD5
c0b8b91a2d9437393677f941f91cf486

SHA1
ef627fa9cc9d8af1a61b8de4b9a4631950e2801e

SHA256
3d59b3bda25bbda911b67ed98fbcabd7b67d14dd79f2ff61b960946028a213e3

SHA512
c2363323597b3424d112ea22d554c73389655b92991d76d228cb6fe7edcd3ec771a4ad2eff12c4576ec8af3eb1bfdb0167ee99462d03937481501e053174d5fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\1D1XF76O\otBannerSdk[2].js

Filesize
426KB

MD5
9407efa17b9fa09288ff833eeb111cc7

SHA1
4fba1d46d43eeaeff48b8493245e5cda953285c8

SHA256
9cfaaf4e24c9a20159123c632711d2cbb98854a66ab659a5c24373633f180d4a

SHA512
f864566e20f37099463b4bb39665a52293402d293f9bdbccdac3b6cda7db41f91ce79c34786129f84c822f2c35a7a0976060fcd97271dd27685e4f6255f70b0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\A4FYPV5P\common.5dd7cff85de67632bfd7[1].js

Filesize
743KB

MD5
cd8d2938dfcc295d8d63f9e40e79b3b4

SHA1
08a48c71162cb94c0a4737376c499de1b4666a90

SHA256
881c2664c20a836f6784a1db963fe6f69f5809912ffa0b2d54ecc1361526e922

SHA512
fc252ab5d8444efbc3072b1101c7ce89f91cca35cef475eaa3c28b33dc746aa36b6ac82d1a6d896a975a3e086d8e73882af29392d1235962883bf9e7f0feb590

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\A4FYPV5P\microsoft.8aa91a5fe4f5d8517ae1[1].js

Filesize
142KB

MD5
1b4bd481201681e6e6609b4e84d91900

SHA1
712b959a52f424694b3fa5b852c3d7adf27bc19d

SHA256
ce3eeed6a430adf998eac68138d70e1d064cc81a54274c00b71a22f6c1e0b2b0

SHA512
e844c8e156b94fdedc70830471a4b8cd095926c0a0e5fa3c2685b34a7efbc8d2bfdd662513f46a2021b92d46289ad25ebe7b54d3885c438ea3d4fb7cfb17e5fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\A4FYPV5P\otTCF[1].js

Filesize
38KB

MD5
ccc7bdfd4fec43bb4e2ee254705af6f9

SHA1
9a2a188ff810fd0f025266d2b65f448a5ca84181

SHA256
0881d43075354250e7ca66af2628b7f894bca339f73be5add8c16e166d253708

SHA512
93e7b2cf7c54dda5bacede673dee2829335642aca27eb36afc4a117ee38e00bbc2ee801d751c7af5cbd1c31d0fb92643a862ca710f243e4e9fe64027fa0e39b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\A4FYPV5P\vendors.c47bf4f4981f23895ddb[1].js

Filesize
206KB

MD5
01cd3e668d1acb88b93ab929d450ae63

SHA1
f44e64fd07d828ef0b41a127faf5fc4d0ccb7515

SHA256
76d32a47254928b038acae6e59dbad89eff8d7126eae4391a3a869a3ab6a4eaf

SHA512
b8c1db0645e3aca3e5953724077fa2699216e1f8f780346fba8bbe27f1ec2d8c7bef62dba1a88d3cec8db445418bdc7c3307ac3bf84abfd400d1f1678681e368

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\I3TE3QSH\web-worker.440858f9fe4973b6d967[1].js

Filesize
107KB

MD5
3c27e2c5547d9a2776909c6c8da8bff5

SHA1
c347bc4ea26cf2c55475b558ee9d29b739070c87

SHA256
0c1146defd2749d575ddf1f34be4c0c6fe6991de08adcf85555c255df9ede1a8

SHA512
9173de0eb213aa52d84d21bea9697c7abeffd5b8be2085e53478f4821c219f1b133dbaf10a26584405880540643bf0d1bf9e9e7718339da7fc03811c7c8231d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\QEANMWW1\www.bing[1].xml

Filesize
1KB

MD5
563427f1030cb3e83bc4e7ef7812d05f

SHA1
7c842ade0d3d3c4565fb347e9822bdf7b2c7f149

SHA256
a4384e66587478e4057e3629cea8ab790fcbae61e5bcaedde490742eb4e67c83

SHA512
90996a3130f68879fa0c71736732cd0604c919fb83d7dd2cfe40cedecf7baa3a62007ad32d7bd4d8ed518e23cdbbe3de1a614938323320cec9e99f35ce9a0dbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KR61FGQE\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KR61FGQE\favicon[1].png

Filesize
958B

MD5
346e09471362f2907510a31812129cd2

SHA1
323b99430dd424604ae57a19a91f25376e209759

SHA256
74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

SHA512
a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\NHQ7WCJI\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\NM73A63J\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ZPLH0NU8\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF1997DC76998498FB.TMP

Filesize
16KB

MD5
a8d028155ec4786e4bba3133451af8ed

SHA1
9e6bff0b3c9050efc6a2ebec06abdcdd50c921ae

SHA256
e6221efe216464e12496250653ea94e84f05fa909b920ae7a97d2f2204a5b273

SHA512
320e81ace4867301109c85ae13ea9be60b161d0d539f5593f63bc1f0f8a00612dafb4a317dcc76954889055af4335b218cdf5a4ea32f412995e79a89b095b7bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\42JZUUPK\MalwareDatabase[1].htm

Filesize
287KB

MD5
64696d9e7303562d992aa302dd6a8084

SHA1
688735dfbe0da6c6c3ff24c1c995b7fbeee0453f

SHA256
80fc462d092e9cae5a8f5454fbb3c86bfe99e1eb2364be6dab16a037315f2d58

SHA512
42c7fafbbeefdb3721028db5f93badb24bfdb33dd028b0a57435c5ba769176241c58f614f2354d81919d6e1bead96b9c0b6e63e3e65db1c3de36e819ee5f12f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\42JZUUPK\github-19c85be4af9c[1].css

Filesize
116KB

MD5
08a9321c7a5e7988158d86b61b4a2a80

SHA1
890c5a4a3d8af53b5ecaf2efa13b345ca3233a77

SHA256
08754f9acb163a564c71c8c08b9cf03e9912c486ebff08f7ea376b74742eb361

SHA512
19c85be4af9c4eb8e532503ef3730d233318504d8b1f5f5b535bbd3b067e5d072072500bee3b65b1b91b0ca7414f4f21fa6e79365cf19ea07a98e527e1c00b3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\42JZUUPK\repository-6247ca238fd4[1].css

Filesize
27KB

MD5
0c6e7f9ad3d84702fe070a9dfa3e400e

SHA1
b7779f1b9dabe9a148255f6f6f98ca8545ac4017

SHA256
07036a0205f8314a3f5cd3ec9eeb44872b79c2418efc20f0945b0ac5c6a83199

SHA512
6247ca238fd4503095653dabda8f9e5937cce5091ec403d8e613dd2601db2b9425d103bcb389fb507fd0cc4a205711c2abb8a7011bc411b65823576a39f355bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\behaviors-91d3668ba8db[1].js

Filesize
230KB

MD5
6bd0e8bf7604f8cb759e655f8001cd5c

SHA1
37de4d4ab24a740a7d197f644be4492a432b4591

SHA256
0291459f37567c74c3effaa6973f81e3d13097a9abef075fe77c13f5f6f16110

SHA512
91d3668ba8db701746177233d4aa87f0e445b89f5ba96d7e7dcb6ec20d6a9cfd461b9e1529fd4fdc74183aefeeaf240ea7b57438fb636e3307cfcd9e85b281a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\code-111be5e4092d[1].css

Filesize
30KB

MD5
7cb9080aa576934b53486d3746529970

SHA1
cb9ad049ca59d0dc0095470fddb2bda8798211cd

SHA256
9850beb3ebe2c31da0ece9d1a823e5e7d26983626c6e2acf4210d33abf6660c9

SHA512
111be5e4092d831d8e068ff4b6d2be94cbccb5bf92adc549a6c2506c4712ac177d15a61b56bce1919a2bdf9bb66d4a24b805db3aaddeb86823912d1df805f2fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\element-registry-b87c2b6c3608[1].js

Filesize
45KB

MD5
c33f74f0aa268914a074bf0f4b4276bc

SHA1
e065877e6133d708f39e32aa31de1d3f4e26f61d

SHA256
50f48c03b258378fcd98d43c2b645d035ba61bf9980cb28cef32a8a5abeb4846

SHA512
b87c2b6c3608044312ad1a125d2d7eca92eaef8c551cfc0d0d5228384b223cd5f2e597fe2a615d492f02105c76a2b9915d6765b58929778462c703cc9323d9c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\environment-29216db1b92a[1].js

Filesize
4KB

MD5
0f6ee65334ef78689e14b35c6f19abed

SHA1
ec9526a497e3beb5fa8eb183c0998ac5cc8c96e7

SHA256
558103e3d3092fa36d65938b0fcacca72086e251be75d4cd44c1e0e12e21d1ce

SHA512
29216db1b92a0edac103be2164d277e1ad0023a5e9d8a0040772e1234967b3a8f92a8c763bd2221aaecd2bb3bbedd989fadfa2684add80a87d220b13811ea775

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\github-elements-9e3dc735b5f9[1].js

Filesize
36KB

MD5
8e1411cb377ab50a97af38280b3e22ff

SHA1
99b1b064b73d97867a57f0d66e154f4c04c09b97

SHA256
b06424d0d9351b81ec90106376e979b1ed7afaa8ae25f948c8056db900dcd1e4

SHA512
9e3dc735b5f98237e95e9cc9015e5512869dcd01efc31a1e8c4dc79308243f95c6a2805228a4840f653934dfb206fe5f5fa50f399c9c8893190a840553a2fe73

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\primer-primitives-366b5c973fad[1].css

Filesize
7KB

MD5
c3251b92f88319086a74573c98ef2cd8

SHA1
2dc7efd06dc7b292579a74ea171ce24dfee83dc1

SHA256
90cdd286610f3f9cb21194bde1233612d62a5cb973c901a04a06febe9b285488

SHA512
366b5c973fadf52874e0d26742cc908ef426910f5b9e92a053e84382145fd7d3672a9edd392cc26dbf69a26e2bee200016ecc59e6c396b95d5e1a83887797ca4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\ui_packages_failbot_failbot_ts-ede00d92f599[1].js

Filesize
8KB

MD5
0d3cfe2475bad34f9eda6593174945e9

SHA1
36158effa83180ab0bdc21341b1758e9dfedf6df

SHA256
6cf7e764d431783cbbb1a4b4c50ffcb392a1bf3e69021f5aa7c0aa8f4a937f8d

SHA512
ede00d92f5991ad0c830535816f95da3a1de452a75d049b238a6345d3cb645908dc09e16f039205618d0d88d5997ead4809f66dcc0411684914740981f1e5a2a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_dompurify_dist_purify_js-6890e890956f[1].js

Filesize
22KB

MD5
80fa30c00e347b5bbc8b7ff9dc2c9f44

SHA1
d085fe485ada77814949e92fa9e1b1eb05ba5eda

SHA256
be77c75cf182f1830d0f90b8d7aee460f0108c6e7f5a143a524f709b9023c80d

SHA512
6890e890956fafa8187511df1ac3c80a5b8d56be5ca989da251741f59c8d1186c0efa3d374f113b0ebeda124b78dedd106ea97f487ec04cf2a012e7bdd1048b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_auto-complete-element_dist_index_js-node_modules_github_catalyst_-8e9f78-14eb72583307[1].js

Filesize
23KB

MD5
7f057ae9fc2f65c9ea06fae539d88a0b

SHA1
108dc47a9e300fda70e24e94ee6f0e3b8174c09d

SHA256
ac82a951f1db340c40abb2f8a1b7502a065039bebdd3aafbfcf1f67e2887ae30

SHA512
14eb725833079b34b9bca578ba2af0be92c6002a5dcb97ef050f69104022e8823de1aaf95d6db6ebb05143ed8d95c213f3a47955922e7482b1b7c979d2c17468

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_combobox-nav_dist_index_js-node_modules_github_markdown-toolbar-e-820fc0-bc8f02b96749[1].js

Filesize
18KB

MD5
1908a7d9985e9540b3f6fc047f62b729

SHA1
25a06882e338da16bbc59797925ac6086141f478

SHA256
1b92b8a1d5169e64edce1fb248cb5989561060b083e5f05b6ca2a823b748a946

SHA512
bc8f02b96749a7ec00a92334c4964a4255611b23e15b88a9fef73fce2b55e32bfefa7f4bb89d436685a92fe188713790b9154ed79b5d7b3690a3ace68346cadf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_stacktrace-parser_dist_s-1acb1c-a745699a1cfa[1].js

Filesize
19KB

MD5
861fa69db074f86d7b825200d303b5cd

SHA1
6b0dba99c449561eccec58fb4f0225d4d9c7a25b

SHA256
d0626b0be461588e2510ec528a0ae6fbae4ac363ab56b53bff39382a1a925810

SHA512
a745699a1cfa87148f99a041663a7be4e70130245c5a616a90e77f4538deabafbac9a5debf8aa517ef65b965e1d3b1ae6cdd85349921cabce52eb1ec9a71117b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-e53a3f-44fbe25382ac[1].js

Filesize
22KB

MD5
d7784f92950ebd22588939a4958bf2c5

SHA1
211a7a56d420754967b86c53f96d24535936f835

SHA256
9179d6fd8dcd86c766ae4359b7784f2a2812ed681735407b05f46f992f9ed951

SHA512
44fbe25382aceb6b2309bfea2b1fe05f64160e6a3ac66ac4405a7ac5a9912fe7d4b682ac2d11d374761155d06e2e04f0a2a237eaedee7f1735654cfe9989134e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_selector-observer_dist_index_esm_js-9f960d9b217c[1].js

Filesize
9KB

MD5
683a7fe431bded8fbbf7b5189a1b8209

SHA1
2fb527473877ea06ec6b023690ce933c216c5d07

SHA256
f87c5b59b8f353c8762f2e44e1f82feafab882a96a0fad135dc6fc1555872ab3

SHA512
9f960d9b217c457d467a9510dd9797c4ec9df9a892c0a3e1746b2b87dca8ec191dc901e983bc509bc282004967b6fd588dbff5bf70bc7e20a5ca32bc7f1d772a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-c91f4ad18b62[1].js

Filesize
75KB

MD5
8d2fd700b674b265b884566f9e1a68b2

SHA1
b0071dc74ec8602aeb4d4063ace590e7dc26ab6c

SHA256
8d303394176f2b0cb950c35e71caa07a94141a3625c75d8b5da9f42f9a1bd700

SHA512
c91f4ad18b621b1321ca15512f94dfc9b7759ea2d0a150e0d4ec12c62ace6f5d01e60b991f0f1fa523b96ff9e0174e89a5c6496a6df15b61e57f232f2fdae967

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_morphdom_dist_morphdom-esm_js-node_modules_github_memoize_dist_esm_index_js-05801f7ca718[1].js

Filesize
5KB

MD5
11819c8c15340c7ca8339fcc945a4f06

SHA1
5fb0a03295e008aec0a1abc786b9e8bdaa3a233e

SHA256
7bb4cf0c86c218c29466a022a4c087e72ae5cfbcc0307a67c9a5af2a0ec2a521

SHA512
05801f7ca718d5ffd9e34ed99b557c1e8c624eb6263e0eb4f94e6fe32c4a1b1c1663419d89594358471edabd80a15f1143200b4150051e99377b988dba7d7389

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-7bd350d761f4[1].js

Filesize
9KB

MD5
b6b600c9f1dd4c88024d62e6ff2eb871

SHA1
5a22091378af6a681a1edd36e5337b9b6f70613c

SHA256
447a26cbcbced255f24f46c1e82a6f3a4de3b2a44d4b0ab7b6f427b12f783f8f

SHA512
7bd350d761f4f22866b454b1271af79ef5d23f5d1b8cb0598c34f739e3dab977450d61d01b8a0c135fff309389f712c0114e9cd6e844d2261d2536377b71b838

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-086f7a27bac0[1].js

Filesize
8KB

MD5
6822816845d932c1e93f68372f005918

SHA1
1dd14a539530e8d131ce29be5e5f84e4098b6a15

SHA256
14d338ed3345cc8d74e239c812aa37eeee6126bc1ad8a17e4e2cf6ba8ee0adee

SHA512
086f7a27bac0d285f5e0c849cebac7176f86edb18037d8ec4356c2b8892fd3f47e045f857eb673b213661eea17441192cdb7a76c807c2badcecff6b7901aba92

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\vendors-node_modules_smoothscroll-polyfill_dist_smoothscroll_js-node_modules_stacktrace-parse-a448e4-bb5415637fe0[1].js

Filesize
13KB

MD5
331e44e17e9ff14023510b990053a71a

SHA1
096363b6e8794bbd45a352d3cc8cfc4946b832b2

SHA256
7db9b2cf77bda551dc5b202710a2ebccc88a74f6d807a8eaf19d3624befba34c

SHA512
bb5415637fe067dfd3bba724d1e3ec440d342feaef6d42226cad26c535dab05ed798c92b46104b1cc843345e11d3e40a72a051c7730438fc2ea59abad6b2b26a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8878U3ZW\wp-runtime-2663c96e6bf2[1].js

Filesize
38KB

MD5
650b4250de0f311ef855e7c0798aed41

SHA1
0f3265daf1827c9acd4dc5c80081ce548790cb19

SHA256
008cfd9a561615feb9d977f2643c4a52c056f55335d8591f6304324f38e260f5

SHA512
2663c96e6bf226329d04738eb406c42451fa81333bb9bb7e2916d2de457b8a868045c4a7ebfded28391678d3a17b5aeaf0fa4cb6764d7b75a30bb7c8dbf0a6be

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CSJ9TYQL\44542704[1].png

Filesize
2KB

MD5
923e90e62af61d5069a2441cf2ac9860

SHA1
333fab4360d653038152e72ab3f31735f2df0b1a

SHA256
fcf8e13cd742fd50d7590e542a0f1cc7ef39ca28302dafc5dc01d3227bcfff3e

SHA512
510f84a07dea3d0ffa9b551295a3f6f81e20ad141b87ffd6f91fba2e0e76c62a5ca8f00b55ef4e3707f61325ddf82c72afc2e5dd515a164881bebc938d4781b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CSJ9TYQL\dark-a167e256da9c[1].css

Filesize
110KB

MD5
16bf89ddba1dd57f22db711fabe734a4

SHA1
957574454d6cf7418b7ec21ee68b9f6cf9121ea5

SHA256
9b8c1638bd260c5ffc8f57ce371ef17210117aae67ffce5afbf141feec1c4c53

SHA512
a167e256da9cfd581c6d23cf0e71e8df6f863b162e9d1f8d32baf91adc0f89b7d75f059061ac6b643230821b6a82bcfa356bd64758a2f337e95cdceedaabdb09

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CSJ9TYQL\global-6d852ff5d319[1].css

Filesize
280KB

MD5
aea94eacf2cf706c50d590c60a8577d0

SHA1
92e63534034c945aca9a7cb53c291f57af26214a

SHA256
8c1884b073177ed2cde53463772ead23b0577a4cd502aadbe048338fa5336653

SHA512
6d852ff5d31954b3e2af5ea677c045fbd80fd02aa6749bb8269fe09889bdb8bb83c537d8d2c3586fe2133e44b89d7645b9fc49f4417909b415f942f479958fe1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CSJ9TYQL\ui_packages_react-core_create-browser-history_ts-ui_packages_react-core_AppContextProvider_ts-809ab9-5bc018b15303[1].js

Filesize
6KB

MD5
378d0004aed365aec287f622134e5069

SHA1
6acb45a99cfdfefa20834e9bd796d56ef9888615

SHA256
b9006e1bbb715c820ca59ea6bb3cfc3a4258a193b31db79814ae2b34be672139

SHA512
5bc018b15303a49beef4eca73e4cfd682ce1f3cff64eb63db593a82daa6ecaaab162c16abfeabb688525c47a243455018e7fbf1e4b77602864a206260db095e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\app_assets_modules_github_behaviors_ajax-error_ts-app_assets_modules_github_behaviors_include-467754-244ee9d9ed77[1].js

Filesize
16KB

MD5
2f497796c4a1138fb344ef33c095e8a0

SHA1
bb8354facfc9b52a56d8e3b49b5bed1398dff197

SHA256
3bcbc1a7a6f8e83c9febf9156ad3b5baa19f153a76f832fdc211a1894cd72ec6

SHA512
244ee9d9ed779dd0dd2c7b846c0699ec84e675f1ff0bada75d599488b5330d14174063fc07ac8938cd1da53163c3d18b2d8c7585c651472737224a21524d116d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-9285faa0e011[1].js

Filesize
11KB

MD5
ea2f459bb2eaf606a6d110bb721f8c85

SHA1
0cfc1539816ee68e0ccea2f32fb4191bb8b05224

SHA256
3c0095ede9f86618b394dcb281a35c659330ed3532ff49cb699c4f95083a912c

SHA512
9285faa0e011208b72caa43ce51dd15a03224c73810ca9d549ab21c344c2c96f7b6bb31b86e922858cfe6cebe6e3b09e7dc8fa35c6c78fd7c44b6c919002ad02

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\app_assets_modules_github_behaviors_task-list_ts-app_assets_modules_github_onfocus_ts-app_ass-421cec-9de4213015af[1].js

Filesize
14KB

MD5
f773d7682704ca9858b63b87f67919c1

SHA1
edcb0120ca99d5ddc395fae4bcac301928f49ef0

SHA256
0b6e667cb5fae47ba109488f66ca4a2f3a55a80f25cda4ca17db228b3ef3464b

SHA512
9de4213015af6aa07708f102ee75a6092518d4ce61198db20c67def5a37ed0b924bf0007bb23535aa11da61f818e6d80c7c84f31b8f4e76c5413fc0086850d9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\app_assets_modules_github_sticky-scroll-into-view_ts-94209c43e6af[1].js

Filesize
9KB

MD5
ea01bea08a155fcf33ff2a18fcd0ecb9

SHA1
1f58607e282514d7a1dddf9aeb2b91bc5f5fe7dd

SHA256
ecef9a63582229cec2ad4531de2fcbe4098fdbac1ff41d7ad269fb47b3ad6352

SHA512
94209c43e6afe456a67e0fe26ff4f4bc8982137138891fd2aa1660150c4e03333187d63292ebf0d5aee64d0c5f8f0e40421e21923e7588d5213d8892e8a207eb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\app_assets_modules_github_updatable-content_ts-5d7607113ea3[1].js

Filesize
12KB

MD5
028b1f9d28a2d7084ba352260781c0fa

SHA1
ccef26e6dd5d2b86dc92ca16eddc5f266969faec

SHA256
309bb077eb5391e7c5d12195f54be7f57ca837be5acf747c4aeb53c35db41ac2

SHA512
5d7607113ea34da21b125bd003ee9804ef92171863223d3fa070e6f64ce3c2604447a1cc2faeeadb1fa09c0cb827c73cf80f879435a294ceb0d559db7a1c716d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\keyboard-shortcuts-dialog-07cc3a6b6201[1].js

Filesize
29KB

MD5
3c306abc9535dd47189d9f8e7cf41ae6

SHA1
64efe5bcb4fef5860ca8dcce79acdeecfd567abc

SHA256
1b8619434efaee8d3473407874fa9c099db31c6300b52b37323f01ce4cc12e51

SHA512
07cc3a6b620117cc85e3d84492b6a57aaa18154b05a76fc17330ae6b4a0e59f20f61a788ced5312e490b16b0afb8abec665e0fabee79b337044757f88f81ad02

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\light-0eace2597ca3[1].css

Filesize
110KB

MD5
c98edbdc81b370dec6c1635959f3e6d1

SHA1
fc7c9fd6033bbc608ac6b77b5b481c7bfe162e75

SHA256
7214039084d73a8ac3457904dce9dba06f30e82c1b62bf186e791502aad5c41c

SHA512
0eace2597ca30668d561697e3275158ede25e98bb9af70b059f8a1edcd139ce4910c9e04a1d739918615d4042fd4c5d16f6d5ec0983c9785537f55aba10cb64a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\notifications-global-6d6db5144cc3[1].js

Filesize
12KB

MD5
261150ee37eedc1c587ea9a21a7e1b6a

SHA1
f2112e464b8a356e675ad36e2c20f58e12e140e2

SHA256
020fa19a1945b66e3f2bb224b98568b884996fe404bd5dcb9e91d20bbe6ceaeb

SHA512
6d6db5144cc3ea031f04632fe9eeea3ff3dd4d91740526de02e57d2cae60aa5afe5b8df0de2d92c46eca064c5ae20abe3d7e9778d36e94990f74e432f6ecec70

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\primer-42eb5b6ba8cf[1].css

Filesize
347KB

MD5
8e66187284a17c6ab0112ce1ebc1005a

SHA1
69922b9603ad5fc252d773ff9aa7e65c1011a419

SHA256
a75036491a65e86df3caf510dea767f2b1b9753c30c13e48485945305446ffc5

SHA512
42eb5b6ba8cfe64b9642125c4596f6e1e731c6f2027a7ff0daa53b5fbe7b9145a8ee2d136ffcfd9ce773f54d851086cf11f3f2f5723a9e6e09da383a1124cafc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\react-lib-1fbfc5be2c18[1].js

Filesize
205KB

MD5
a89a8f2f2bb2d88a93065721c9e47a2e

SHA1
cd36c9a2f3f961872dde1419ee028a3043e505ff

SHA256
746be0909e59666a5f567b2aa72804a700c73dc6fe6403d68437a017563c2efa

SHA512
1fbfc5be2c185ba0765855c0a373c65424e74958e31e1df715a16e8b626ea4feff3b11fa9672e4eaea5b5a0b59a2268a1add636afef130e514f7f3e44ab98f19

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\sessions-694c8423e347[1].js

Filesize
11KB

MD5
15353e276f2a35c6994e46991d8a9b1c

SHA1
37c41a00574ae955d36dd0e5288f4ae32a18e048

SHA256
7776eb5163b1ef5e527a065ee8701fb023f5d4292bd471af5f594c0c4f33f7a7

SHA512
694c8423e3475a2e4c99d721f5dbc4dbf324fe3796e47101147753b191f032081687f9765a981207992da09a9b209a1d4d314d25621e08d811e2cf04a0403197

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_color-convert_index_js-72c9fbde5ad4[1].js

Filesize
13KB

MD5
c706ad84a4eb261b75d1f77ce7f9bdc8

SHA1
497a9725442e7305adc54d19b828b2e38c5c56cd

SHA256
80b561c1746ef1533744e7bf7ea3f6c721a88a104d665bb97ffa8df96e69b682

SHA512
72c9fbde5ad471c76b76034459d0d75db00cceaf3904a14c01dd9dd9167da7f783086b79c446b24ed2630c9cebca1996b3ff8ea52dec6c865f173c8158962be6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_delegated-events_dist_index_js-node_modules_github_catalyst_lib_index_js-06ff531-2ea61fcc9a71[1].js

Filesize
11KB

MD5
c59673d413609f36559412bd12b5776f

SHA1
7cd5f0a997f4d154400dacbfcab376395009f690

SHA256
eaeb0852cbcffaef96c7a00b0080169f4aa752f0f1d5cafcdf6177e2d0698c5b

SHA512
2ea61fcc9a716eb3452f0b6d6531d0c724f69aa55a032af882eaae96f7f59bd26f028f1832f1aa65bc6fe90612acbf145249cf83b285399e8e4da7fc4c9ff5d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_delegated-events_dist_index_js-node_modules_github_hydro-analytics-clien-b632a3-7938aac89f16[1].js

Filesize
8KB

MD5
a75476ea12958502da977142b0c9cd9c

SHA1
32b3d2b6b47ad835f1ca75a0fe1460b56059584a

SHA256
cc87364ceb61647d3f5e082352c29f198d9cbeb24034fca1530391fa492eac1c

SHA512
7938aac89f166cabd8188929167dc7214470145052fa5b8a24e93a727febe3bf1fd20295df72d3d3eacc59231a6c79e29a568748ff2ed8d17e7760d2bf03a590

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_delegated-events_dist_index_js-node_modules_stacktrace-parser_dist_stack-443cd5-559829a63de0[1].js

Filesize
20KB

MD5
166e32344d6d91ff253588892c185034

SHA1
dd6a8a326f44b1ea130e4d83c237e9fb1d01fa72

SHA256
a4aa9668713f77cd2df038fd53c0c0c436d1ee44ad273e5013d28aa3b608f9ff

SHA512
559829a63de07e85cf2b0f7959c9bc20c947b9621c7d2c406853c4f7a338c44d612bd5fbd7ca57004965707f460cc009fbdc88502bcbc991eaa19d817267717f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_primer_view-co-3959a9-cdadf3cebccb[1].js

Filesize
87KB

MD5
48293eb4213a42d72dc9393ff0df1c36

SHA1
89ed3af710742b52126916f904301b769572cd9a

SHA256
b1e84bdb840c95039f42262e6b4c0e9963be4d4238a929593afd073c5410a14f

SHA512
cdadf3cebccb77f8b69cb2e62c6897ecac3c57818b7623111176975934c188f1c31a299bd6e6f21ac710a1332a0c8cd597dc0d1197e8ee266c8e486b8979cf7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-b7d8f4-654130b7cde5[1].js

Filesize
18KB

MD5
21c56e08d54cacd285b71cb9822e4510

SHA1
f1e2472c4f75565e065a222d4d8230e4c3eaf2e1

SHA256
fcdf8d456aade47c524428bd32301c8e07d3535d2084e0cb0bd13b67fa5e6430

SHA512
654130b7cde50138e63b58f5339e703d43c6719a508b45a0a168777cb1ab5f204d5431d854bdca627da0ef3f39cb9d699b3a7b7f8cba0442ea2f45d9d19ffcf4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_quote-selection_dist_index_js-node_modules_github_session-resume_-ff65ee-c202d20e2d3d[1].js

Filesize
41KB

MD5
0a5c8c2fb52ab19ad25161951a892959

SHA1
c6755ff9d94cd6f0e17166b95892cf0bd7e5a6fa

SHA256
00db91bb25902cb212fb700d2954b40c4dfae8fc1f6af62aede5d01f22efe213

SHA512
c202d20e2d3d21eaf0b2e6de2d17c0db8928c36440291c34914978d5fff6cf7f4ee5d16c18b19b29678b31435bcb44d0b48f97d3f0ef0a97df94a8c9f10cd36b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_relative-time-element_dist_index_js-c76945c5961a[1].js

Filesize
14KB

MD5
2cabd818fb8745b2fc7d5f92594269b8

SHA1
88108fecb3839f06671c2a21e35163e0e414b2b0

SHA256
55cdbee6ddce98f5c299a24fb9851501f46ff0cdd2ef3b2f7bb572a3940b462d

SHA512
c76945c5961a4f5b2cb1f85bd3cbb35d5e81f611c3ba05543acfe870728e94e9719c9331b65f4c2c8723960c5ac1e9cac0495a892f049b41ed3ffbe899b93700

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-94fd67-99519581d0f8[1].js

Filesize
14KB

MD5
84756748e3dd04bc8df81aae5b8c928c

SHA1
da0753f66399bf678140e102c8ad90324aacee5d

SHA256
6a1fbc292e9af25dc3241c6f45a6ac754055cfaaa024f50ab231257f97f06c84

SHA512
99519581d0f86411b1cf8a25912224e4a2c7f98b10091962da6b52f6fbec3dd216e83e9e8a6b63195516c7331df090238603b99c1c679499da77ec1a59a7a8f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_remote-form_dist_index_js-node_modules_scroll-anchoring_dist_scro-52dc4b-4fecca2d00e4[1].js

Filesize
14KB

MD5
3c93d840bdb31e2ecf2db3a18d74ecfb

SHA1
9dba0310dd02f294a15ce70e9dcf15bdd931b153

SHA256
90811a711184795bc02f4d5c428192643b5721937943c790e950e9e353cdc310

SHA512
4fecca2d00e4933afc4ec27c376010683c3e788034515793c7a275a9c7d60f742f10850f108fea397f221436d2201f671f6416a4deb5fc3cbebccded871f979d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_github_text-expander-element_dist_index_js-8a621df59e80[1].js

Filesize
11KB

MD5
da04614ae380b68c111984f401413fc7

SHA1
7ca0dc023ca0b1654d7c8630b8a05534e156d03d

SHA256
85fa448f4d60be73de2f42a83937523b7b751a4523b809fe9e3edb404e00b835

SHA512
8a621df59e80e8851a8cf3db03462095e8bba43a860b1018dc66780448e82d19871be99aab995fa57025db8b7f8e975eb0595fe2c59ca23d984b4d21d5031aaa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_lit-html_lit-html_js-5b376145beff[1].js

Filesize
15KB

MD5
81628c9093236d8e3cf835f708c30608

SHA1
846b10531dfca6510051fc43abb8f9b5647a0433

SHA256
daf381c316a5988c9116aa65c5816cbc8a958211b4c0b7d989ad6c9645757902

SHA512
5b376145beffca1bfc6b0352c08819609a974b6170848699421208752a63f057869e0e4ddd23797b3a0c281c276d7fae580cf41bb5465c632aee58524b21e7ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-node_modules_github_jtml_lib_index_js-95b84ee6bc34[1].js

Filesize
8KB

MD5
913a77fa8f878b5f1b7bc5c3c53daa45

SHA1
e2f68e5c24e77ab985603430e9666fc1718cadf7

SHA256
69b7ef034ddc6b605311ca503ca24f54de1758816ef270a160315ed71fc3d7e5

SHA512
95b84ee6bc349a259aa1a1298245ff5edb5cdd1b6f5013e0c5eff8059c1f90125e8a1457c40c54ce103f4d18160a55cd7084922ae283bf00f8b425cffd1efa48

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_primer_octicons-react_dist_index_esm_js-node_modules_primer_react_lib-es-541a38-6ce7d7c3f9ee[1].js

Filesize
708KB

MD5
9699fd6c18ebb0b6e830f00aa5b00923

SHA1
4da30d3d59bda5f71bbfa3382e1351b5949093f1

SHA256
a6e73c5e32a48959c31695ad96b1f50041288809239817cf46fc75cbdca309f4

SHA512
6ce7d7c3f9ee1db237c4a3c024d177220bbeb36a90e49585dd425ad481a9660f02538b564a69e53d91c1ae3d2df48ee1b5b573525bc86f4fb6c6f199abd58627

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_primer_react_lib-esm_ActionList_index_js-1501d3ef83c2[1].js

Filesize
36KB

MD5
fc56234216f7ab16027e66715e8ba619

SHA1
d2a025085b429fcefd4e72f94fbb85c996827430

SHA256
6c23cb820422a033600041200811d3acb7452a3fb9bd7600fdb7c253118d7fef

SHA512
1501d3ef83c29b7e19a8af1ea5dc4b8b76bdcd0880e5d726e58f1eee20d1ae05dedf29eda17d5ed44739225285c99289e8c238be608475e8aa80f7be875a0927

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_primer_react_lib-esm_Box_Box_js-8f8c5e2a2cbf[1].js

Filesize
14KB

MD5
e13301561af6d955f28e15fb1289f257

SHA1
cba18e711015c8eb73907a47316a9e72a04cc4fd

SHA256
6f56c90679703b770ea20b56e706321a2b5ff837a521aa0977640d19be74d0c3

SHA512
8f8c5e2a2cbf938918866c1a84d9c1e242a98d5ecb48d3b2861faf32e19cfdb924f2bce7230b6cbcb67597fbc2e05d6d445115cfec1a1d636151ceb0548a5ab4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_primer_react_lib-esm_Button_Button_js-d5726d25c548[1].js

Filesize
13KB

MD5
7808e91ddfbdb6b9debebb80d385f34d

SHA1
fa5b6305619c7c4964a9457e6ff4239a83cd6ad5

SHA256
b4de114425b15165820a41293d5cb11c2353d3b29cc3938f800c3ad539f40158

SHA512
d5726d25c548155c6bc41be3d771580a0ab86d7718969a2ca4563efa2f17ac226bcd2347265fd7fb16bfba539d59bcb709705933c7b7f3bb0a082028d29f0503

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_primer_react_lib-esm_Button_IconButton_js-node_modules_primer_react_lib--73d4d2-7feb4a337fc8[1].js

Filesize
31KB

MD5
bf042188ad61c4159a16a55ec8095ce9

SHA1
42ab98c09170076376d1e9a77af62cd1032d203e

SHA256
aa49631560d9f11c9fc24aaff85f4393fb03caf8668663be00c79092aa89dd39

SHA512
7feb4a337fc82cfc0edd0664546fc2131ee8ed6c573f2c8cfaa6c0808007d85ca95c47b5e1d3db1a1aa260c4740bdcb416db6b9ef0310e5f42114b55a8e55ea8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMR6G33L\vendors-node_modules_virtualized-list_es_index_js-node_modules_github_template-parts_lib_index_js-878844713bc9[1].js

Filesize
12KB

MD5
84eee0a0d2d52ce4048f2dbdb3589012

SHA1
9723f142ff6ce47f65dfed06d70b68a305a8dbb8

SHA256
bf11813ce0246da52cb3132837619c44d1e837e3eeebbbef12137dd91dfbec7f

SHA512
878844713bc98efc35c1a8041e3a53fa3e2ac9669dddeeeb2962ce6cdd465f84f0d41c3774ac27bd4bffcfbdf4832897e7711dbfd17adfac9d2fab206292c4e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
c8bfd89db212712e05fc642ee2cb3329

SHA1
981c2a957fc1dd92e40d81c064dc98be7c3d8c9a

SHA256
285baf7102df55e5c592bb0ad399f71427a4758af5452884df62e8a6026bc14d

SHA512
753f5ae0698f0c45fb1ba48d6b72075dac6aad8b81d0d19d587850e3d85f2754ead535d146823758403d4bb2d67a9a1ccd4382d699e26f069a1aa7708a459f78

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
8c4a166a525b5dc69bf0b6fb9f191505

SHA1
e655aae05b493677e5c99c228afd127143b1a3ca

SHA256
26a89bce2f2ea08ab0583a0ca80ec25842c24637d3adc042480e468dc69cbe2f

SHA512
d9e25395784942cef0e5e05d6e9e8d7b2a5f1f2fea6878a7795c94072e81f5c4550d749e8edc4aea27e5bfa189dd97d7ba41fb706350d7c4d7e8a9ccbf194038

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
7950a5a515dd20ec3dc0c2fa8934c77c

SHA1
ba44ea4e010d81f564d90ac97f9d552776af06d5

SHA256
edb4aa264ce33c2f1923d43b600cd65af6bbec022d1db44dfffc6fcdfb77bf65

SHA512
2008b81efd740bdd72c8ce1e3181d9ae58aeeff83d0171566587ab18e2f51ef557bc52f9cd8b411d107e01f253c30085c1f7b326eebca3ac1e0c5d5e637105b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
1046af76d6baa27b902fe3284fe2f74a

SHA1
e93aa80e97f513450b28e115527365c7b2ef6e24

SHA256
c2f6dd500b82918c4651869ac491cf7b66ce2b8237d1ec4ca628828e0fff534c

SHA512
d51a19e9b0f9d305170d4b33fcccbd8b60d55bdeedc0f08adf6d15679e0603a110ea07136f52f03d9c7029af3673a7357174ca23520baf264fdcfd7b76224b5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
8950d3aa04b3b4567c278f0f662205a8

SHA1
144660e2f078036c657b38f02a00248cb7d54d47

SHA256
2dedc30cad681fedd6995e77c4d08c177dc8d551dff9535d82c9486e88d11886

SHA512
36daae8ec89ceb4f6e48d902f43a091c5fd64e0e86ebb4be110ccb2abe9aa395b73e73269064c0a3b82941fd2ab3dabcd4fe583ddc1d361709b46f42e9539ff4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
819dffb4c8d63575e0174a9a3bc04813

SHA1
76a856f75f0e02be3ada756392116734016edba4

SHA256
df7b6699f28274739fa32c0b18cc75b207c2a8fe3099352fccd4cbbb6d42122f

SHA512
e50489b2470a1e9b7615a6fbdeadb9a3bb78fc78e18fde0b711c9ef955832091b1e2771409e81af9d4f06fdcb1bcba6a7a346caaf2fe9a0848f1b2aeb5ac4563

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
4141b6d2b4701dd47c9c28f1479c8ca2

SHA1
54a50531a23d40dd42f4083c105daf967d458c3a

SHA256
05ea2d2c729f3c925143e361dd96d432cb9336b24943c6903ff60e0fdf0ea317

SHA512
72e42bdc4d1cc212263b4b41fdbb5be8ccbf6aea208eb5fcaefb6a8a14c6e0d66231a9bea9744cb250a892cd17c8bb2f64130e76329942dec68762acdeb9a0f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
f182adfa6c7486a4db95b9d0bdeb55c1

SHA1
5f118459d3aee2e7939733bd365cff573737f6d7

SHA256
7d2096f151215d835eac7aa3956603debe76594ffcb345c396cf9c717fb7cd96

SHA512
2cd31c4f4f26baef12435544ffe82c18a8fc35ca1c0fbed5737b12f904c871c69657e16893c83855be8e2b8c111d7c833451e267c24edd93e90c8279e16550cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2f1d144588163d50cec9152f53b95465

SHA1
f67066666f893a4a8900edd57a65e8ad3ef34099

SHA256
4dc26716596d2538e71bdba58b12d6dc857e3fd1889170d6037738435447cb45

SHA512
786d30d7a6cc6dda6caab16ba26620fd461d40610cff3702f8ee52b33713aa05ce532e178077640b48e0971d984ce1d18ac469120055aee4f2ce662adc5b93b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\pending_pings\16c7b961-07f3-4c73-814f-1bb5f6491f76

Filesize
10KB

MD5
8b9b899dfeb135ddc0e676725966db9b

SHA1
0f22fb07d7117e7cf695683ecf57c3df9f81ffeb

SHA256
a831c914b724182e2a51bbb1ed0fce2149b6690df7c9011b1ddfcf91d7b2e107

SHA512
ecd62399595fd315c0c7eec172a9f1bae250ea692d6c7e0aa355ed22b8175ac85c0a2fe28e30b4fa594de463a26fbca0cbf15b096783eecf2e926c01266e33e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\pending_pings\797efd1b-c032-48c8-bb7f-26e620a5e4b0

Filesize
746B

MD5
41ff692de5a60b7d78d3b9dc91958150

SHA1
91ef9f125046fc9c4baffbd18a59cfed5ec332b1

SHA256
0bc163b808292aa644d18becc1608ac91eb8282d56edc6ad811075f9cdfd6264

SHA512
2d84b321e983f972418aae0001ab63ae7ccb70b44a07283a47ee3126effc000ed0c63f37e86f573ae1facb25ec4e2e3d38ccc1f8ce0a009f2f3d80c159550afc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js

Filesize
6KB

MD5
ff2b26e7418abe6debd5686bcf7d7b39

SHA1
d33a92917eb15f1bbfb68f0cfc81196245167693

SHA256
eded9102c9835118c13c4cdf48e5edf9d19b407b7931ec11c3bfb692991f7b38

SHA512
ab57cbe8f3b9f022c8c3d305649a42597d21fcbda6740407b2acaddc38f5584684e79eee94b78417b412da3974ae2bb98df46bc93528c279817f3bb94dcb5410

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js

Filesize
6KB

MD5
a60607f7a20dea27f03e012c148099e1

SHA1
310127592a6fd15ae7d723ab22b368886c3d2575

SHA256
8b06e64f360fe5e3b4aa4b0fa7fc0d47e7f4e5c5289b23e78abca5f81250b116

SHA512
3bf8b5d1bfd81bc4bcda0d415f34f654c22560e970ec6918647efadb398ed8c28d396f5b4d823c0701a033e8b6d214ddf1d901205ae101b5325c5356fb737d96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs.js

Filesize
6KB

MD5
483f13dc3956d1f72534b12ee76ccc0b

SHA1
c9457b6c6e3985129d111c241f4e4069e15aefb6

SHA256
e5fb43429eb4142ac7496c8f5c3cbce5911c4458807c1937d54bbb6d8821e783

SHA512
4d051cb25c8ab35d01a3508749aec9b3615f07defabfa12ddcda5f3eadd3f6c4f46a2407b66f2b6febabc89a9d2542798273ded3d891c19d7628bf5051fe9525

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionCheckpoints.json.tmp

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a3e9fec09c7457561852d50252ad4bf8

SHA1
f3337b31423ae726f62f10b3a695f5b8d19df57a

SHA256
9e24b76199a938a94832bf5b1f2d88c48838e7af7466d64c8d8ac3e6ee7f5a58

SHA512
0d0acae87376ea626cc6e55252be059534f5fdcdfc4cbee74b3e4ff92a1d51537a55b53b7cd4193176112a023cd8a0b1d86c94c656e7fe6da9ab63c53d69ddf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
42dde2f72f2c98249dd6beafde1cfdec

SHA1
79b28fe51918a05b4ee435b4123df3d08b29b4e8

SHA256
d55c25631a146f122800f0d605b7e54ec8583800304c4efbabf0446d89b5c3a4

SHA512
8f24d1f1e1dde52d955d1608a4aab840a214bd6db84d86dcb7a4e2c3d7283998ef23b0463b663996c57bb895d74a42a21ef78abc36bee63f857b76bee083deae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e5d467dbe2446539a10c66976dc7cbc5

SHA1
f6e7ed1a8926fa18c39b3fb5509f58b67fd4aba7

SHA256
e746973dc2ca92cf9ef12ae4b228164ede1f83bc7064771ba84e87669fa6eb74

SHA512
9c8106b7022a07906822b611fe47728451b65250f842bda27b91687e3de8d2001fe22660d9698e75841d3ec962a95f5a457107f7df0e9ae1fdebf8af3b94afe2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
383d1b1ac470645cb54f17e8e7dca225

SHA1
da52992e0b665874cb1bb30114d55fa959c469e1

SHA256
3eec1e646c36d1ea3146400cb63b2464f2320b91e762cd83f3cd50c221c49f1a

SHA512
0968d121064c3071a2c5e2732ac26f76931e984201688fc9ca4e9887790ba2c7fcd9a882de522417e2da6c78e8912c9745f0e351bd5e5c5213e27365178c4dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
db95381578d713de641234be3b00e0d2

SHA1
eee0cd134ad416d7868c411ded31597380a57cf1

SHA256
f47f918a1ce100a811f10c4c296798bbd8bd913aeff871e4c833d613dff9a8f4

SHA512
7083cb88e0266af1db7c715c50a4866ce9e21034f2d99f27b951ffb03e5e95977d9433486e67226ff9c46872bd7caa90d6cf193118ceafa93935a5c53c2d3ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
9d5ed1c91ccd0ab49a1a9119bb4e94fb

SHA1
c79a03ad632b4bd9b2e4249732aa7b9e570977f7

SHA256
dcdf8df25fe8971ce17373a172424f77ba234418d3cc794802d8be2a8fc8d7bf

SHA512
269876c31e7852534902ad8e2b080bbfa694df12487bb5f0350dee70fdc77e013cff2ed01c634661ff1bce708a9dbc436079779350c27269e9c2c8f52c419691

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
23eaaef050c7aa59bb8b6dbe731d1ace

SHA1
7be250dea49b3b1fabbe984e1729bc0bea73338f

SHA256
90083d71d517093ac9bf86eeaeb72c3a4022a0e447eaf4ca44eeae86140cd88f

SHA512
668bc1cb47c2d6e60391c787c2923b20206e9d9b5b994c8f5c54cd7cf6f6ba4b6164a9ab3e32b37d1990dd83979321931b396f9b4c7effc81862dc05c8c7eeaf

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.8MB

MD5
a42633114f98a3740570832ca4c2eed5

SHA1
5fa12b0eed71c5e06a391b81ce1d35905b41fe4d

SHA256
d256e2f22bafc6ab0417ae83e44d8e9b69ec280c4283de97e92d7b5eff6563d4

SHA512
39ea9aee265b4c3306c525c3abb140710f4c9540803aa3a626d426b166b3b9fce159b8fe4be8707f4f85d357bc32c56cfa652f07a164398c372bd40eda4a4e1b

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/744-325-0x0000023089470000-0x0000023089472000-memory.dmp

Filesize
8KB

Download
memory/744-337-0x0000023099DD0000-0x0000023099DD2000-memory.dmp

Filesize
8KB

Download
memory/744-322-0x0000023089440000-0x0000023089442000-memory.dmp

Filesize
8KB

Download
memory/744-327-0x0000023089490000-0x0000023089492000-memory.dmp

Filesize
8KB

Download
memory/744-335-0x000002309A030000-0x000002309A032000-memory.dmp

Filesize
8KB

Download
memory/744-333-0x000002309A010000-0x000002309A012000-memory.dmp

Filesize
8KB

Download
memory/836-228-0x000002203E820000-0x000002203E840000-memory.dmp

Filesize
128KB

Download
memory/836-461-0x000002203F000000-0x000002203F020000-memory.dmp

Filesize
128KB

Download
memory/836-375-0x000002203DC00000-0x000002203DD00000-memory.dmp

Filesize
1024KB

Download
memory/836-369-0x000002202D4D0000-0x000002202D4F0000-memory.dmp

Filesize
128KB

Download
memory/836-473-0x000002203F440000-0x000002203F460000-memory.dmp

Filesize
128KB

Download
memory/836-386-0x000002203F340000-0x000002203F440000-memory.dmp

Filesize
1024KB

Download
memory/836-482-0x00000220505A0000-0x00000220505C0000-memory.dmp

Filesize
128KB

Download
memory/836-387-0x000002203EDE0000-0x000002203EE00000-memory.dmp

Filesize
128KB

Download
memory/836-412-0x000002203F4C0000-0x000002203F4E0000-memory.dmp

Filesize
128KB

Download
memory/836-189-0x000002203EC40000-0x000002203EC60000-memory.dmp

Filesize
128KB

Download
memory/836-212-0x000002204FCC0000-0x000002204FDC0000-memory.dmp

Filesize
1024KB

Download
memory/836-183-0x000002203E100000-0x000002203E200000-memory.dmp

Filesize
1024KB

Download
memory/836-181-0x000002203DD00000-0x000002203DD20000-memory.dmp

Filesize
128KB

Download
memory/2688-575-0x00000217350F0000-0x00000217350F2000-memory.dmp

Filesize
8KB

Download
memory/2688-617-0x00000217244B0000-0x00000217244B2000-memory.dmp

Filesize
8KB

Download
memory/2688-608-0x0000021723DA0000-0x0000021723DC0000-memory.dmp

Filesize
128KB

Download
memory/2688-615-0x00000217244A0000-0x00000217244A2000-memory.dmp

Filesize
8KB

Download
memory/3968-4356-0x0000000073710000-0x0000000073792000-memory.dmp

Filesize
520KB

Download
memory/3968-4477-0x0000000073710000-0x0000000073792000-memory.dmp

Filesize
520KB

Download
memory/3968-4353-0x00000000737C0000-0x0000000073842000-memory.dmp

Filesize
520KB

Download
memory/3968-4358-0x0000000001090000-0x000000000138E000-memory.dmp

Filesize
3.0MB

Download
memory/3968-4355-0x0000000073440000-0x000000007365C000-memory.dmp

Filesize
2.1MB

Download
memory/3968-4475-0x0000000073440000-0x000000007365C000-memory.dmp

Filesize
2.1MB

Download
memory/3968-4476-0x00000000737C0000-0x0000000073842000-memory.dmp

Filesize
520KB

Download
memory/3968-4359-0x0000000073660000-0x0000000073682000-memory.dmp

Filesize
136KB

Download
memory/3968-4478-0x0000000001090000-0x000000000138E000-memory.dmp

Filesize
3.0MB

Download
memory/4288-0-0x000001C844520000-0x000001C844530000-memory.dmp

Filesize
64KB

Download
memory/4288-238-0x000001C84AEB0000-0x000001C84AEB1000-memory.dmp

Filesize
4KB

Download
memory/4288-237-0x000001C84AEA0000-0x000001C84AEA1000-memory.dmp

Filesize
4KB

Download
memory/4288-35-0x000001C8436F0000-0x000001C8436F2000-memory.dmp

Filesize
8KB

Download
memory/4288-16-0x000001C844D00000-0x000001C844D10000-memory.dmp

Filesize
64KB

Download