wannacry | hxxp://yahoo[.]com

Analysis

max time kernel
309s
max time network
311s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 20:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://yahoo.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF590.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF597.tmp	WannaCry.EXE

Executes dropped EXE 11 IoCs

Processes:

WannaCry.EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
2440	WannaCry.EXE
4712	taskdl.exe
5972	@[email protected]
3856	@[email protected]
3108	taskhsvc.exe
5864	taskdl.exe
4900	taskse.exe
1908	@[email protected]
6072	taskdl.exe
5776	taskse.exe
1088	@[email protected]

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

3108 taskhsvc.exe
3108 taskhsvc.exe
3108 taskhsvc.exe
3108 taskhsvc.exe
3108 taskhsvc.exe
3108 taskhsvc.exe
3108 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

908 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe

pid	process
908	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oiaderoeworuv893 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
43 raw.githubusercontent.com
76 raw.githubusercontent.com
92 camo.githubusercontent.com

flow	ioc
3	raw.githubusercontent.com
43	raw.githubusercontent.com
76	raw.githubusercontent.com
92	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]WannaCry.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "225"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

OpenWith.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ini_auto_file\shell\Read\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ini_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ini_auto_file\shell\Read	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\.ini\ = "ini_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ini_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2394516847-3409208829-2230326962-1000\{1683E9D7-2245-4233-9A90-9317FD6B348E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\ini_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\.ini	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2812 reg.exe

pid	process
2812	reg.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exetaskhsvc.exe

pid	process
4884	msedge.exe
4884	msedge.exe
2160	msedge.exe
2160	msedge.exe
2972	msedge.exe
2972	msedge.exe
3600	identity_helper.exe
3600	identity_helper.exe
4844	msedge.exe
4844	msedge.exe
3184	msedge.exe
3184	msedge.exe
2572	msedge.exe
2572	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2412	msedge.exe
2412	msedge.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe
3108	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid process

5384 OpenWith.exe
5840 OpenWith.exe
6028 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

msedge.exe

pid	process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: 36	1168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: 36	1168	WMIC.exe
Token: SeBackupPrivilege	2616	vssvc.exe
Token: SeRestorePrivilege	2616	vssvc.exe
Token: SeAuditPrivilege	2616	vssvc.exe
Token: SeTcbPrivilege	4900	taskse.exe
Token: SeTcbPrivilege	4900	taskse.exe
Token: SeTcbPrivilege	5776	taskse.exe
Token: SeTcbPrivilege	5776	taskse.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

msedge.exe

pid	process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

OpenWith.exeOpenWith.exe@[email protected]@[email protected]OpenWith.exe@[email protected]AcroRd32.exe@[email protected]LogonUI.exe

pid	process
5384	OpenWith.exe
5840	OpenWith.exe
5972	@[email protected]
5972	@[email protected]
3856	@[email protected]
3856	@[email protected]
6028	OpenWith.exe
1908	@[email protected]
1908	@[email protected]
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
6028	OpenWith.exe
5944	AcroRd32.exe
5944	AcroRd32.exe
5944	AcroRd32.exe
5944	AcroRd32.exe
1088	@[email protected]
2296	LogonUI.exe
2296	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2160 wrote to memory of 4692	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4692	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4072	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4884	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 4884	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe
PID 2160 wrote to memory of 3724	2160	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2068 attrib.exe
1328 attrib.exe

pid	process
2068	attrib.exe
1328	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://yahoo.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd52e3cb8,0x7ffcd52e3cc8,0x7ffcd52e3cd8
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
2⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
2⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4088 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
2⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
2⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
2⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
2⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
2⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
2⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
2⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6956 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
2⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:1
2⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
2⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
2⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
2⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
2⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7340 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,13017977593389163447,7534491548912378264,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1800 /prefetch:8
2⤵
PID:4392

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:2440

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:2068

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:908

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 128801719174068.bat
3⤵
PID:712

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:4636

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:1328

C:\Users\Admin\Downloads\@[email protected]
@[email protected] co
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5972

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
3⤵
PID:5044

C:\Users\Admin\Downloads\@[email protected]
@[email protected] vs
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:3020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5864

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oiaderoeworuv893" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oiaderoeworuv893" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:2812

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:6072

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1820

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4916

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\UndoCompress.ini"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
ebf3a71158f4594b5c9b892e99eba63b

SHA1
41fbc86bf9f415e97fbac5f136a0c2f0dab6a0ff

SHA256
8e7362d09d01919fa4651a9cacc8b01eaf7f54f3042a1717c04c2a6148f88080

SHA512
48a93496ff33f7fde8f93610a096ede0bc32d995bae42503db137ebce27ca41563712e5d5c1d3702ddadad06f30eda8ccbb78882dd12fcb4c59d1b37988e3db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9a91b6dd57fc9c4880d34e9e7c6b760f

SHA1
77a09da6ef4343a8b232386e000cd2d6b9fc30a3

SHA256
0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a

SHA512
9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bbfb66ff6f5e565ac00d12dbb0f4113d

SHA1
8ee31313329123750487278afb3192d106752f17

SHA256
165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754

SHA512
8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
41KB

MD5
59e89cfa71ea71dd68ba77139687871f

SHA1
e4e29922c94ad478c0bea45ecaaa2072b5e20253

SHA256
e7001f5614f56039d4b9a4671768fe9a6bbf7ca89d4c37a33293923fbb6f3242

SHA512
658c926057a53f1f3198031534533dd78c96115d0239c08de7be160f9a5fa83a33265b96c49c8e6975c9ed660c3692ce60aaecb6e8afaca25b0caf4b231968fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
1.2MB

MD5
3d987b84d52187cb131f644abb746f47

SHA1
0030db7851ed284e99745a7acd501e221784115c

SHA256
80df740334a5705117953c25c58523282d78c6d06eb3da3e0fba7820fbc5a1f8

SHA512
139a698ab427e75a9cf123df1d4eb3a8287ae9f15a6430e5758c49a18d022533752721e5349f2543e3ed0b641fab1bdb46b1836179537b4e6fd091ebbb2c7605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
33KB

MD5
d2c299586fe5d9ba67694f9721a4d1cf

SHA1
72d4d8c3f08034c3c14a4bf04b51854b38ae970d

SHA256
a245918f09af8647f24313833134d3ddbfe2a282aaf34a06216b49f6faa73873

SHA512
47315588220ec8ca7d10ac83c7e2eac41f5788b49299e8bd06549b21641e1c8333f2f1c19a17722987ebd563d2abd1a82985184b00aee283b3b75d4bc38210e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
20KB

MD5
90c7c3cd9f1bda2460a4ce30711d11b7

SHA1
5d62c16f1237f8429a215873602579743cb25aa3

SHA256
f25d0e3f8652167d6a56adb7c8e0441e364dcbc2bb847ad176dc3709d3272450

SHA512
55ee7a7956ddcf57e0e47d83a317ae663a26c5c32d549d2bd3ec4a54f30720ad353ab67b522310f86e1822c628ec5ed654a199d329752d5b8a4eb0c07f78399a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
36KB

MD5
0e045ce9afca2d76d92e1d18344834be

SHA1
f1ebee178f8b20945fde60e392c53c7deeb5d3f9

SHA256
c5c5edb2479ae74b76265ce50f3288286418225c04a6f35148d3d2238a4fad8c

SHA512
d82c38a003956344659b0b095d6639e081e5a87a7ac822efd2366a39109862bd90661bd448e097deb23a26efa042703fa378f5d7c6701fda9651f2525b942821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
48KB

MD5
47b6e3b9a667b9dbc766575634849645

SHA1
54c7e7189111bf33c933817d0a97cefe61fe9a6d

SHA256
302ed4f6c8ac4312d71205603c4c28dd2976fafe4c05533c0a08ab3bdb531aa3

SHA512
a12b74ff45f6f9e6abf459863c299e1fafe61dcf2bea8a7331ed9547de14ed29e2deba69b104c6960db93b458f83ba6a4ba454c5514105e7ffb96da96e26e612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
23KB

MD5
082ea42c1aae3b695989f4b6f6eb0dc7

SHA1
1918fc9585b161ce79c29ff6d2fec39e526a3aa2

SHA256
d87bcc1cb0e666b8812da126e6e308529997c88176123920942b43efade7bc77

SHA512
e6c7b496139c95c43e9af3fbd3b6b4a90a206506a3f823c7003fc42585a404e0323ef85ed6233ac208c066ec528857a8609c36ec6c749cec0702149de2c6f69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
56KB

MD5
15deb2f227868e22e62aad743443fdd3

SHA1
db87dcd259fad33146bd95dfb7edd39e64e14159

SHA256
13ba113a7d1dbf634b226d5d27c91a86bd8edd5cde9607e95cb173fd38e1b88b

SHA512
fea6d0d7e67435be1a06c7a4af844ee7e1fa6aff96f1fab21a1d1c3ae1cbbed28dbef42af3ce63beebe8342e8acc1eba55e5814cd171651dce53634a5ef07123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
19KB

MD5
1ec8fb7f6fd9050ab7c803cab2b0b48f

SHA1
6b831a02f8daed957b82c310cf867aa3e77b9816

SHA256
4345ede1557a49c9322e84fcfe2a20821e47003c2b3c214de6ba6d5d42bac73f

SHA512
d4ef769640f071121d07f8942533c7cfbaf4e4a29476d8977fb31d462e986246278fd599b2cb4344713f5ade2b89faed5c728093e31848c9e428601f0ea2f871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
59KB

MD5
4bc7fdb1eed64d29f27a427feea007b5

SHA1
62b5f0e1731484517796e3d512c5529d0af2666b

SHA256
05282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6

SHA512
9900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
20KB

MD5
62b3656502d2f8f50d792ea1c8c41438

SHA1
cb0fd4f8bdfb6e32e86b6d805916dc95bbed7a71

SHA256
4ff8b2f6c2012d486d9388885d7bed23513913f3e50d35bfc34cfc0e6d4c6385

SHA512
a3fb33fe6c2ff563c8324dfeea173ac02d918b38b14adf56403a8fcba33dd21957bd617b4e15d09e1a347a9fe7415789d710505317754873aea6a8b60167eff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
130KB

MD5
b61b5eac4fb168036c99caf0190ec8d3

SHA1
8440a8168362eb742ea3f700bb2b79f7b0b17719

SHA256
3c495df6db16ed46f0f8a9aff100fa9b26e1434016c41b319f0c1009b7ab2e1f

SHA512
cbccd3aa5a1bdfddba5cc38956b5523a422a1151cdd0680336ab94f07aabecd1695062a0953c32c8209949ea6a4859c625c6deffe5108e8d5e48290017e51874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
22KB

MD5
1ac27973084a93966f6a90d5b518e258

SHA1
787986ea7a061e18e3d858c919a7692c6d100ed3

SHA256
f8a4c49273653af8dff6bc5e910bdc5a4ca5496c60f0221cfbf3da26df2388f8

SHA512
3bbd2a13f7583890c4730aa4fbe49bd1d280950e28917389177b6eddfdfaee6b1969efa3e4741c6ab21e9f83154540ed80652f3c1c9145fd2fa6a0687b6aa461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d3b0ad57bdf7db9_0

Filesize
1KB

MD5
b1f90ec0d3bd844851b8592f897360ad

SHA1
d2482ccb4efef50b22ea354e6da23cb7f6ebed94

SHA256
6d665608c0ee3a102e093e0cb2a6d1584ba9861963efce49cf583289bd1b9a6a

SHA512
b744a06eb1c6c4f420b272315f6ca1753b90f1e78803b3b0189a1de364ef1a7e2c743877d0e1713ba68d7685e33699df63f69ca33821c4959a446597484cea5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\af2cfcaf6d9b18bc_0

Filesize
2KB

MD5
2a1837e1faa16432a81e98eb4417e825

SHA1
0fc53d55cde6296c8f7da9d01ff53cdaebb90b6f

SHA256
17d68540037193b569adc03a6971f46b9e5bb8233943c303ec17b6e8c82783ae

SHA512
7861b4f7d5219e7d11dd6769f06b4995ad31aa291097ed2ec649fa65b5b1feecf04f200d9b8af238dff0a3ed7035d24e287b26fe0b7244605710e9911b778019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0e3ff9fde4c7831de993987293821d82

SHA1
6bc420c74a92453c18b9ff793b343fb23de68d25

SHA256
1dd2cd22555acdb06610dab67eecf6bac9a0268822b3f76f514c77c3f3b92f43

SHA512
48b6a7b8a159a27999f9b9a5c65e21ddc50bf58ca8ff057ba2c1d4ef646d9b6425c94329f556a63b0d1b4c07e06ec102b86ae21374c5a75a5d93fa2b59bdc2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6ee3de4e9cc4a0a30d5335c7d0506bb2

SHA1
55211b931799b320be10fc5f433f12e6e51a1861

SHA256
2ab807a0472012b0e68c0372b5ba648e8b4fc9e264529295483c4ff999ad667e

SHA512
972830bc7127fee0d9bd85ef1e8243be468ad79c1fe2b94f7cef2d693998fd83f3ba28c734987df09c10474e9b29d5195f1bab813ee44f949bcc339f149c27e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8b7f33714b7e9b14eab9b642c5a9d3de

SHA1
786a99a05ea479a7fdedad14c8e707ceea0584ae

SHA256
56d514dfa43be53c6289186466a76aaf15db2627842308dd935c77792f64bb7a

SHA512
8cb62a3deabdae2ebcc9a1ec30d548f0e8fe278bb96db0dddef5ff53b85eb39e939ee16e67e769bbd56adc0c02a3041e3653c9cd5be8ce43f4569671c381d7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
bffc8f2939e9b209cad6a910fadd7fda

SHA1
322892bf6b47c88866820b5ca2a445b8690d9b05

SHA256
30de9cddcd49685ecb72b80ab5d8c1b41347445fd5c3ffa44f3c26103b1f6b3b

SHA512
b086df0f20e923e1a6c77b0ae8c94bf58227c8cb1e97ee445d2f1221e24992537aa6c0966ea321d84e03909834ce854a4a6a53f87bcbe807584d7345b12ab5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
db12a788c9598b822445123122cc38fb

SHA1
0ea8c411b365ea96778ead844c9245d7fda7deb3

SHA256
7a1b9d74aa06fcb5455d7b554cfb7a4c03bb8fb07ca3c565e2892f64a7d7bf7b

SHA512
19a02264da9d4ee3095f8aaa74b0ffc3ad805b9353733c51b0b3c7cf57904306551be35ab0ce22cf882574d652486b89a73c6c82ff232cc4a6572ad1d0397be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
956a40ebc2b7e0a75982bdc97a5711db

SHA1
8494ea049e173c3a12b637b01a2fc1dd627a17a4

SHA256
c806c2da47de745b7a0d2be7a3bcbd869843b2de46e56e9562d09d6c5d036e69

SHA512
23fe6fe8e0913f1e71d4ad74b677a0ada72df9fc45dd27c50eb6eafc43478163317b2c064d66461a6a2a0fa37a102dfe93ddc54b1fbaeb21b70ae389c748a5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1721597762bd8249e0fb75a801dd792c

SHA1
324cf8ffd42f2a625129c70b5a8e1c66e93c9ee4

SHA256
4d87d1e7a1a9ec8c142e4cbd07da125d4220e276ca81e6616571a14d2ff376cb

SHA512
2230bf228db534c5ae38928ee88f65b5a04a4fb36bd5e6641636e932d202c02401d3aa2c77bf44a16e0883a85817d4ead93d46a1545586c8583f7dbfc0a5119a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f1b70c596e4830cae3a249bd4aedf07

SHA1
7eeb8a89b7c480502d96ccd231f499d9359a8c5b

SHA256
2c94beccf6c171f63512d05204f3ade9c32091a4a5f914b5c0cad359e9b619cf

SHA512
ce20936f1f80e03aa2c85ca0dce8a16a8d5b2b8ac0717445e34fa740b3ebb6591785777b9d7424ac89dcfe60e03aa922268c7cd6f87f7f5e2123f74388a96a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85b264eda1c970227b391955c3c58a1b

SHA1
2c4ed63063fc1720783abc7860bd794108c05317

SHA256
843f2f2df418514b7e2b9391bc7b4d4e0453edcb511cae395d50bc18f75d5919

SHA512
fee674eb76ac03c27246de6df21b228e241f56fd07b8cc537e7ca1e534c632b93365ca79689acd01ac84d4743b08b3d1ee940867fecbc08aede7f2bd00152c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5b5e546d678716f1ce5717fdcf8f9d6e

SHA1
8189be16d46c41fcb4dc87a2bb0dc58940a8d606

SHA256
ea4dac381717698eeb4d124a51643bebd04c68b53eac4d6ac863a2d9c603741c

SHA512
a633ab0b6fc2e7c75afb72f28b32ea651554cd4f305910d28a7ac287da173ee5584ee206eeca39b81dbc0d627ff68187dd0cba260bf19b47be24814e0bca3e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5defe34bc6357c55b513a100519b31b6

SHA1
04aec2555974e4b0027c2adbc2421cae923b85fa

SHA256
1080852e45945a367b740fcbbb07fa10625e36421a4a0ec616e4a18c843d773f

SHA512
4498f1ab60d717a02709643f35e17e26cfc74f67e266aabf5ccc86f21c801d70d823c760c60c09e2846e41fdfa1fec9c8027f6d17eb396cdf3b254ad651126de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c0482440d5482c7aa61214a8d37ad98

SHA1
51d553a17f340aca395c91f84fd99f362b0311df

SHA256
f151fb80ba5b9826c0d95f58242d0737043288f76522e314d114beff87d11a59

SHA512
11e5cb92125149bb2174fda495a9edb84d347474854b3058280a40db9dec43feec00eeedc557ce6bb11b2e958320bb263ed434568389eca4c956e271a8fed871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f95cb55afac856a8436a8bd6ebca3320

SHA1
ccb867d399391105ad8fbe88e4cbd3de865e9118

SHA256
7da2025ff649deb8728eea886b1e8c0e5f0988e8146b9409e7901ee7f25450ca

SHA512
1ead586b02fe9dcbcc43d975bdb6d5ba13e466a0c864cc59ba4cce5538c9fe903442535ed0202fb67191c0e707e2254286a9e1ca122b3dcb845a44f2b9c55f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
75d15af36c39ffb826ec60a8177ae99c

SHA1
f94a04383b4b504f7da5cbc7c73856f785df10ad

SHA256
4b44c00ae404bb77e9750d30befe55dede230ebfd2c39b7e48ba445a1152cedf

SHA512
1e887a77c41b38b8a994c9e02d4ce343ba9098ab7dbc5bf887fc93b666e76d3c847f85c49187f150d0b10c611e66e30e4d5d9b88b5a4ef2533304bb5d641c024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ae9f85035f7112b63420b5e3a4b968db

SHA1
1a4e05f03d5db076b078a7362b3d0246089c9484

SHA256
37f0ca0a40fdb92a45a0725440b2cb04b52d62aac8d74f7e58a3552ebaaf80bb

SHA512
292c7fcbdfe840c57a7fbbbd8ef29cef340c099d5c024a088cb9d9d8c0214d4f7177bea235794a69039a34e7b8df126ec49185e921091aea24d15d5e4d024b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a2d9e9976dfd221eb8412c35e7b1aaf0

SHA1
861090d553e76d52476d4d544cc973567406f528

SHA256
977b5c9926c5e77ab25094d3f6a33efc0d0608dc33d6627b5fbd7c4fca834d5e

SHA512
15a40db5b43e2bfa902c69de4da1104cd88366a8ce336da10de56c63fc9a6705b8e9ff49ecf43cd12862a47caa8817dffe86175e8f642157f2ad0af626efa060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
554031ee88134922f9709bc8851c18c1

SHA1
92fd8ac1a8df16caf32aa24c2d995143572c2e91

SHA256
bdf6bc7477351c74b8907471d216fe257d6993c6e01e4221c1d9583513a24a8e

SHA512
f1d9c7f20538a97f4439d61b1b3e85a47408d0d05a079c83ee088d07c8bf1c82fc0f1cece5a8a25616635fcdc31bd4be798dee624c98ca1289b993b83c2360cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fed1448535119cbddb193491e2a835be

SHA1
ca4c7deb24d97978dc758f0140c9611234200e05

SHA256
3fd90e3a44bd9181fa267e93b4b9172fbc5bcae65eae1211fa6dee0702a722f1

SHA512
7e4eaefbf73d85ae57465af58240e933c4e7eaf03b27b95fb33ae84ed3bfe1d074ef1be27180ef3775db77eb242f633884740caab46c8fa9659551cecbf122af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bea02cd0f6de000885f12df8f06ca2e6

SHA1
9a1aa9b534c89b063bbce0024e1132e8e9c73c68

SHA256
001d44cb5c53314b2a145ad8b4062e11db936f8d776de5ea07f0f0578615ccd3

SHA512
9ca50a969783161cc779acbadb9df1773f417ad16d010e8bc0b6b1b91ba34022c8981e21335b0dbfd92d3422bd4a0e9642c0e8ee761293e6f37a0c393b33f4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
427e05ec186dfd732b103d78c10072a5

SHA1
c4c0c7ab60b95a3fc4b739a47ac69dd44d480ff6

SHA256
61057383d128fde0dad5376c751aad925c06267c63c13b51202cbfb4c8ba23bc

SHA512
b9dc7ee81dd473e0f93c805c8f459c7b64bf2a050bdbc280e7506852c86d62981a95398525ed688605edb96b5a3a0d0a3d280b56f38d001ac43503a5a2ca6b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bdb238c821c3bc741b0d80fc6d234ed3

SHA1
cb9399871aaa3dc29bcfd93d3925e196af6d5a29

SHA256
faa16ab0ccfb9491da54d428df48a2a77493144ba76a0824751143fc47394c4c

SHA512
dbbe790a185dc55f96ec0a09a7025a7c84bf05c2649cb62908b5d63ef5dfc01c09b7fdb434e9561604c8a46067ed41dbbe178e419bd2abfccfd56b39be5d671e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3636a223b0b0760670ae6b974b361611

SHA1
a5f44026ce0ed83b7e5136906c4cebf272cd4a35

SHA256
bd5d7624e149e40b6f36aa2f834f1b5fd9a9d377e81f3f15217a197415656cbe

SHA512
a31c94a39edcd5adf275e4222cbaf1894d65713c6fc31fd1df2dace2a215a275e1f3b8c304c3b0074ac075c57d7e1ca0e8b7ab4e742ab957a233a966c1ceb059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
220859f4313a73073429f39c722e09b4

SHA1
04aa50697871cce76e45f164d51773fb3a001b47

SHA256
e9e1c4604ece1f93698c2893667be9124bf7c9e19a71b0c138e93e24801069d7

SHA512
dc74a366d7ba6a05d3644fdd8b08b3b7eef91eff171eb150f18b5db964be094092de419feacb1c8b4dd432e9d232c962c0f1f3bccd7c12ac1fcc90c30c55e273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6252071026bf4c004b5cd71cb4291198

SHA1
d1d8979bf18fa9981a3d4c6797aefcabe5024587

SHA256
cf9e8c2d04a0f61288b18a17760f34f595d54a524ce214b99ac5d34a5b76a6df

SHA512
187bac6c297c713ad5496c2b05d4dd55c4bde24eaa4aac6d5c3dd4e5dd46710409546bc8553b1b41bea0ad8b08de44a0ca8fee517c80706f6608288df2e5ff61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6d23f040996fde17dd0d05b42e678787

SHA1
f940981a60ffbf3471ed5eb4c498a5418507c4ee

SHA256
c870fb137311db1c03a67308e2caacbb6c6b0c1952446fd3771ac4db55ec99d7

SHA512
8be25020772095d3b1124a32606ed8cb0c71aaea30c7b0b460881fd583990843d95752ada0665037809c697d39b11cb2d3931010b1a0e893574dbf07f5da91cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a4f32a9e174a0a411ce14f6a99d7ba4a

SHA1
460f2e37f5dce82bddcb91a5bf30c45e74d86d3a

SHA256
9d72e20de16726eee6c7fc58a7445c4ed337c8404e4eddc14018e9a74d389c77

SHA512
6a3a1dd58a4502d64b53a0085bd1de07f2a86167ae9c6c3c07c4cf95743f9d26b12a76c10ee34c483f6e46c43783dbb2d5eb014620e95d245a8011986441783e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c8e81c5b7df15e1d6689d6207b4cb114

SHA1
ba9ef8e84a81ade45bdf317b50ab48658720a37d

SHA256
35d76e6249efd7be66c676bd9a649958699a42ea180cbb8b5e405438469eff05

SHA512
6f74d330fae4bfff82287f91c7ac8fde871bff49206a824be0aaf589eac9c25a443e126a5a5f132ee9ebcd14f4a56729504b700993cc5f2c63de905b1d8e0760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1bd8bd8b7813d1a977406d0eb91a4ce7

SHA1
2e19fdfe56546cb6578a7d72cd9afac1755891e3

SHA256
6e6350e6d7d8ee0bd4dad0ffd75bebe875eb483aa9a0211ecc3f3fdb714f8216

SHA512
2031c5900ceb749cdae5d2313bb8d58c6824ca5debabedc160a1d8a153c2306f1a9e1285103919e5e245e7f0c88ce49a43a3cea3a7a08c76680caa4c97506acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a18f.TMP

Filesize
1KB

MD5
33dcffec0670e5137a928b645b787cb8

SHA1
660cc24d5d334845943984c1a989045ec82f7681

SHA256
8c24f28aed1c93e01efe872c15e68a060eb7576338d3b0d4b634ada60dd5fc6a

SHA512
9c451b9b4d1642507a4ea8ec1a6c4e81f50863b875d09a9cf1d1d3b6b1d3bbb55c333eed625176cf36e4cf83f39739cefab9829dff0c0172c5075ea7797f41db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97705534fde14fbba2e03837d7b7b5c5

SHA1
f340149b65a488f988046cb6ac4a6ce18ef42f88

SHA256
a685df4a38b57e117e506abe7d250c8bd2faa0649774960fa1307bf161696dcc

SHA512
04329f9258dd2cf13913743fa2bc6e56ec6693b9d06f608264bd137b674b26fa00ff69da8e04160aae5876b9e9d76093f00f0b9bfcbc6e26c7ddeed4bc8aeac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6e8ccf8752efe0021b852ff59e4c4c8

SHA1
c303aeaba86586b2ede1c017af1583d7f2a05b63

SHA256
f45a97eb864940ccbce7d52dcc3fa5a6472258ff254954cb803b1d79ac20bbc6

SHA512
79d7e9d96d7abaa306fb28b623bebd834e3896d8dc51c003ca1c1dd0a785994069e82abf638aa61143c701815c4720f0b662a5148bdbe83b6be1a9894e8bf752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
386710ad1bdae43875a16a5dd281347d

SHA1
f5bb1b10bca23e879af6cbe7c6cf3b61c4e77230

SHA256
9d2cd5ae4a3a96ac3570058875092b3ce00fc2732ebe465965377aed1c612fdf

SHA512
a67e01d10098690466b04929375f99a3a4f4abbd4638e0746fccd66fad63514bdb6dbdb737719df6da6fc8f4511879e2b264509a4456126e17f10879801c004b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5667e22c9f3f74d84a60e816e2f921be

SHA1
2d78b85149645c48da0f694402671dff977d8be7

SHA256
0fbbaa1720bdbc5e849fb8c22f659bb611bd49a9216052e7f7e1165076320dc8

SHA512
cdb7f52c23e380c333ba445d8a4a768d941656050413e99c73d613a41aacfc944173c991ea9d5b8bc1aa5deee8fbd74a4a60661ba01fc6c9de16422af5d66497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
016080a23f0733ce24ae4220c01214a8

SHA1
f69bd24dcf515f54a4869e0a44f2153249d594f6

SHA256
95937d530da8184626fd8ae087d8d08b5a2ec44313caa2a4a74eeba9db6901a0

SHA512
30c37dfa0c363eaba7f684c4b1d829c844cb3e2ebf636f1f7dc09d77bf44cd40e9897c3d3b8794f0cb4598801d789332fc9ff25e8c8a31ea0bdb0dbdd9bfea1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9f1b0b1747cb213dfd89bb1d6ae1c6ae

SHA1
f1009345a467db568dc1e75a2d2bb2ea72db95c1

SHA256
ba8bf4ab7a07214e06c8ee21dac1ceb57d3e9560926155d4e06f15a10e043097

SHA512
f3ef7a383c2ed705c761a09f9208e0f4116a09b2d178cc290682efe558dabb0c90a1f14d33efd6b455a4d5157dec7dba495ff1e34149a869870b168aa5a0fe30

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.2MB

MD5
fe17886a532a61d4bbbee7c28c8ce72e

SHA1
223319a0436eb28a307c56965a1777d117a031db

SHA256
a64dcbffa83cdb2e5a9badc2f6e47699b34ff7bff2d6b9f17232b42c34812810

SHA512
16196260a21f04a184fd20bb80e133ea7fdc965939dd0f23033c6cf1574f72f009697322ca3756f3fd931227826df192c853e63d3fa514643403ea07095c0b44

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip

Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
\??\pipe\LOCAL\crashpad_2160_GRPTYWNTRFHKTKHQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2440-1710-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3108-3374-0x0000000073E80000-0x0000000073E9C000-memory.dmp

Filesize
112KB

Download
memory/3108-3372-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download
memory/3108-3338-0x0000000073EA0000-0x0000000073F22000-memory.dmp

Filesize
520KB

Download
memory/3108-3342-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download
memory/3108-3375-0x0000000073DF0000-0x0000000073E72000-memory.dmp

Filesize
520KB

Download
memory/3108-3378-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/3108-3377-0x0000000073B20000-0x0000000073B42000-memory.dmp

Filesize
136KB

Download
memory/3108-3376-0x0000000073D70000-0x0000000073DE7000-memory.dmp

Filesize
476KB

Download
memory/3108-3339-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/3108-3341-0x0000000073B20000-0x0000000073B42000-memory.dmp

Filesize
136KB

Download
memory/3108-3373-0x0000000073EA0000-0x0000000073F22000-memory.dmp

Filesize
520KB

Download
memory/3108-3380-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download
memory/3108-3403-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download
memory/3108-3409-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/3108-3340-0x0000000073DF0000-0x0000000073E72000-memory.dmp

Filesize
520KB

Download
memory/3108-3425-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download
memory/3108-3431-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/3108-3468-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download
memory/3108-3498-0x0000000000480000-0x000000000077E000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads