Analysis

  • max time kernel
    276s
  • max time network
    278s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 03:07

General

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (516) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 7 IoCs
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 4 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://GitHub.com
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbc3746f8,0x7ffcbc374708,0x7ffcbc374718
      2⤵
        PID:3252
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        2⤵
          PID:1860
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2552
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
          2⤵
            PID:1428
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
            2⤵
              PID:2064
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
              2⤵
                PID:1976
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
                2⤵
                  PID:1540
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
                  2⤵
                    PID:2716
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
                    2⤵
                      PID:1408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
                      2⤵
                        PID:2620
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
                        2⤵
                          PID:2184
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3816
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
                          2⤵
                            PID:2564
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
                            2⤵
                              PID:2716
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:8
                              2⤵
                                PID:748
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5124 /prefetch:8
                                2⤵
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                                2⤵
                                  PID:4604
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1
                                  2⤵
                                    PID:4976
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
                                    2⤵
                                      PID:4768
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
                                      2⤵
                                        PID:2060
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
                                        2⤵
                                          PID:5440
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
                                          2⤵
                                            PID:5448
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
                                            2⤵
                                              PID:5864
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6644 /prefetch:8
                                              2⤵
                                                PID:6128
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
                                                2⤵
                                                  PID:6076
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:8
                                                  2⤵
                                                    PID:1808
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:8
                                                    2⤵
                                                      PID:4436
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6080 /prefetch:8
                                                      2⤵
                                                        PID:5416
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5440
                                                      • C:\Users\Admin\Downloads\CoronaVirus (1).exe
                                                        "C:\Users\Admin\Downloads\CoronaVirus (1).exe"
                                                        2⤵
                                                        • Checks computer location settings
                                                        • Drops startup file
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • Drops desktop.ini file(s)
                                                        • Drops file in System32 directory
                                                        • Drops file in Program Files directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:4392
                                                        • C:\Windows\system32\cmd.exe
                                                          "C:\Windows\system32\cmd.exe"
                                                          3⤵
                                                            PID:6004
                                                            • C:\Windows\system32\mode.com
                                                              mode con cp select=1251
                                                              4⤵
                                                                PID:9916
                                                              • C:\Windows\system32\vssadmin.exe
                                                                vssadmin delete shadows /all /quiet
                                                                4⤵
                                                                • Interacts with shadow copies
                                                                PID:11140
                                                            • C:\Windows\system32\cmd.exe
                                                              "C:\Windows\system32\cmd.exe"
                                                              3⤵
                                                                PID:9804
                                                                • C:\Windows\system32\mode.com
                                                                  mode con cp select=1251
                                                                  4⤵
                                                                    PID:9428
                                                                  • C:\Windows\system32\vssadmin.exe
                                                                    vssadmin delete shadows /all /quiet
                                                                    4⤵
                                                                    • Interacts with shadow copies
                                                                    PID:9072
                                                                • C:\Windows\System32\mshta.exe
                                                                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                  3⤵
                                                                    PID:9412
                                                                  • C:\Windows\System32\mshta.exe
                                                                    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                    3⤵
                                                                      PID:9316
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
                                                                    2⤵
                                                                      PID:21604
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6624 /prefetch:2
                                                                      2⤵
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:36564
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
                                                                      2⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:35444
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7036 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:35632
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:36440
                                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:36848
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:37004
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /c schtasks /Delete /F /TN rhaegal
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:36364
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /Delete /F /TN rhaegal
                                                                            5⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:36700
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 374095387 && exit"
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:36576
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 374095387 && exit"
                                                                            5⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:33280
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:29:00
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:36800
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:29:00
                                                                            5⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:34004
                                                                        • C:\Windows\47C8.tmp
                                                                          "C:\Windows\47C8.tmp" \\.\pipe\{12F56AD9-BFDC-4220-B5C1-13A60E23BC59}
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:33248
                                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:7388
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:22464
                                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:9848
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:8788
                                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:7664
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:8020
                                                                    • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                      "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:11584
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:9232
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
                                                                      2⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:10972
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:11784
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:12268
                                                                    • C:\Users\Admin\Downloads\WannaCry.exe
                                                                      "C:\Users\Admin\Downloads\WannaCry.exe"
                                                                      2⤵
                                                                      • Drops startup file
                                                                      • Executes dropped EXE
                                                                      • Adds Run key to start application
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:11284
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c 162771721877139.bat
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:10596
                                                                        • C:\Windows\SysWOW64\cscript.exe
                                                                          cscript //nologo c.vbs
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:11916
                                                                      • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                                        !WannaDecryptor!.exe f
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:11920
                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                        taskkill /f /im MSExchange*
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:10744
                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                        taskkill /f /im Microsoft.Exchange.*
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:12104
                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                        taskkill /f /im sqlserver.exe
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:12200
                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                        taskkill /f /im sqlwriter.exe
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:12276
                                                                      • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                                        !WannaDecryptor!.exe c
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:16672
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd.exe /c start /b !WannaDecryptor!.exe v
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:17428
                                                                        • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                                          !WannaDecryptor!.exe v
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:15912
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                                            5⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:8932
                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                              wmic shadowcopy delete
                                                                              6⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:13788
                                                                      • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                                        !WannaDecryptor!.exe
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Sets desktop wallpaper using registry
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:18068
                                                                    • C:\Users\Admin\Downloads\WannaCry.exe
                                                                      "C:\Users\Admin\Downloads\WannaCry.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:16480
                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                    1⤵
                                                                      PID:3224
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:5020
                                                                      • C:\Windows\system32\vssvc.exe
                                                                        C:\Windows\system32\vssvc.exe
                                                                        1⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:17984

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\!WannaDecryptor!.exe.lnk

                                                                        Filesize

                                                                        590B

                                                                        MD5

                                                                        c8bb864ffc8bf1fff0f04764a5a39b75

                                                                        SHA1

                                                                        91a3e640f6445bc264b05a94da9b6e2a56ba8070

                                                                        SHA256

                                                                        e4723e5e818edce076ff4aac1021370787f65ae6e84fc5d3e784d40c9dca8489

                                                                        SHA512

                                                                        f8129632e72e5bbbb53c68c8b4420dadc38b39c2b393ab623ff20e6d6eee24f390dfea3cafa0cc95fa4d228d34fc9b12b12a1289acc5f4187160c4e0a03ae473

                                                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-1AF2191C.[[email protected]].ncov

                                                                        Filesize

                                                                        3.2MB

                                                                        MD5

                                                                        7d258b9ce38175cd6eb5f8c59f554401

                                                                        SHA1

                                                                        f500979b6b302aab27f6f907601ca1790531cb77

                                                                        SHA256

                                                                        f847c5932e9fd7f7f2fb94446507961d2cbda5d436d92dae7ca50c5424cff5d2

                                                                        SHA512

                                                                        35a9b83d66f7c57c220953dfdcb6968b0a958e995f93cd7623b0b477cdaf7a5bbf31a9ca16ef9063722241ad8744f75acf2260826f3d867c403cd9fad182fdc0

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        584971c8ba88c824fd51a05dddb45a98

                                                                        SHA1

                                                                        b7c9489b4427652a9cdd754d1c1b6ac4034be421

                                                                        SHA256

                                                                        e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

                                                                        SHA512

                                                                        5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        b28ef7d9f6d74f055cc49876767c886c

                                                                        SHA1

                                                                        d6b3267f36c340979f8fc3e012fdd02c468740bf

                                                                        SHA256

                                                                        fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

                                                                        SHA512

                                                                        491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

                                                                        Filesize

                                                                        1.0MB

                                                                        MD5

                                                                        055d1462f66a350d9886542d4d79bc2b

                                                                        SHA1

                                                                        f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                                        SHA256

                                                                        dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                                        SHA512

                                                                        2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                        Filesize

                                                                        4KB

                                                                        MD5

                                                                        7f36672916bf854120b471ef84575a46

                                                                        SHA1

                                                                        82389be5b79c090a560eb0344cd65c4b46bd6b11

                                                                        SHA256

                                                                        a3fc9a8ba357bbe5f0aeb4280da0fa1f53c09182632538303ad094684b208a2a

                                                                        SHA512

                                                                        62040f05a9f37d27bd32d26ebcf8bba244b51c8f7192799a6119c4efa576a2c47050291c3c40b030a7153bbf4d667c454924de6f34db183a702e0dbf6d1403f2

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                        Filesize

                                                                        111B

                                                                        MD5

                                                                        807419ca9a4734feaf8d8563a003b048

                                                                        SHA1

                                                                        a723c7d60a65886ffa068711f1e900ccc85922a6

                                                                        SHA256

                                                                        aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                                                        SHA512

                                                                        f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        86c53555c8779b976d7b387e7ecea48f

                                                                        SHA1

                                                                        2ae8b1729dbb8235a8e37747c9d9072a7e597066

                                                                        SHA256

                                                                        f1e96d782a025ef809847d3cf3a243c81d70717dbd7fdde4a5b59dc072b63ebd

                                                                        SHA512

                                                                        ebb71444f96507e5ab0f9d8ba625d4bf6347a367a502d3f6039b96a52675716f0512dd036fac35180f8f3d92c12a6402313ab1b82111e85bd07940f16717a493

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        566e4308dcfd84cdaa8e1c9ad3a78278

                                                                        SHA1

                                                                        911a5be397674dbfa4338fda0be3491bb092959d

                                                                        SHA256

                                                                        36854342e7813eabc5c5bd0ae232a0dbfaec15d01fe695c3e490e3cab639d321

                                                                        SHA512

                                                                        69f38c91edccb022bc5b74065ca0c6b8166c7ad7ba1eeb979ccd915a647ea3afd9d720360f02de6799f658d4c406f87d1e4ed32ea8f4a9de9515dba2e233b432

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        3a90d6101560ee815f6843ad7fe4211c

                                                                        SHA1

                                                                        fd8726c9044651a33fe07134b62780c8b904fa48

                                                                        SHA256

                                                                        fa3eb328a3b1a46b164df0c3949bbd60c4bae5acd0966cd065d454ad2cf82268

                                                                        SHA512

                                                                        97e4e567d6bc9aae6673884b949f838e574c7f4452995dc5b1aa8f006c6f91f9b124c00ac20ed183210b087e24a002cc94ff274f8e311f5d68ac884e59f89ef5

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        94be25ce6c1c27248262552d44f74b4a

                                                                        SHA1

                                                                        fe0ce315bc62194dfd8ea463809ef8357826098c

                                                                        SHA256

                                                                        e96a6287a994b9030a726f5d8a261e178ca77f4c35740c91b658d33ee5c6c32b

                                                                        SHA512

                                                                        18b087da52d04996b4e0203c4439c0427145c3cbe14ac5f5ca4de34e107fde4c7d55043a7ac334980a81113f067d3be8b3e4e67bf7c62deae32a36eed5b17f8f

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe59f217.TMP

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        06704cfd0ca52b92403d085da74c1ab6

                                                                        SHA1

                                                                        98742c8e83f228f3b6d5c2479312055df92348f5

                                                                        SHA256

                                                                        915850f82d3cd8490d254d29e78bd464c08fb9673106217e17800f76405a710e

                                                                        SHA512

                                                                        ffd13d3ca9d520e2b0da6442f52741c2be94487526cafc2e7d613e4e1048e92863bd1841bf516b8595f2716dd0fa436561c0781874409a9a7acf84f0c3ca8709

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        1e4cb7dc352538173a531554d9957392

                                                                        SHA1

                                                                        9e68ec2cc04102cd8a7c77184bce0f07fe5d3f42

                                                                        SHA256

                                                                        da219a23b481abf6ad934e257455294ffe5ca41681dc541d2e1f717ca9bd68c0

                                                                        SHA512

                                                                        c849d51264c4081154cb31516d427e40505826c38073e42623916c4cc99e11238d47b4f098fa2236623b136b594ece79c60debc1022ba85c5a9a1fe88c00eafb

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        5KB

                                                                        MD5

                                                                        ae90a4efd565a98925e275c528fc047b

                                                                        SHA1

                                                                        3b7884775c35cac353a51dbb508b4346575aadc7

                                                                        SHA256

                                                                        cefe8ca1f540bad66be871bbd9037b7b9a6c495259ae68de59ec371f98c6bd4e

                                                                        SHA512

                                                                        22076df7a6fb82fa085279a53797162fdce5ee74a422b9122ecb5cd423211d14dfee6cd86b47e53313b9ae47f8616db57a8d57920cb99bcf5bf018315b973d4d

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        ac40a13a51767cb0b05460121ba63bdc

                                                                        SHA1

                                                                        f8b91ebe4a74f5dec0b294520297907c40aa9aec

                                                                        SHA256

                                                                        acad05da01de170937bf531b84855b36513bc5c42f9e07e871b8fdbb575b9e7e

                                                                        SHA512

                                                                        4a9689389dca184c5750d5943bf6169b283e69d1b2f2e7637e66a5a52a837f4b8610cba158c1af39332a6d6dc19f6a56775341fc3acb1fa15e79f5f167852389

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        26f5e52a0db6edfcbaeac205dda8d47a

                                                                        SHA1

                                                                        7151eb32de5d039733d9cf87544fa9192b9ca314

                                                                        SHA256

                                                                        937beec0a08ee258d0d191a46d3baff79bf8aa1392850d5833f4bb8f7e754548

                                                                        SHA512

                                                                        34043ce3ff6054bc2e34aeebe613ce1e9f150c0dd88078b6cf869b8bd1587e32f37c59db2127384155f1a18235693ae91aa2aa12ec3dfe5369cb5b5011d90758

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        ce367ed7c4917f1004f9c1b8a5bebd37

                                                                        SHA1

                                                                        df3f047063a7dace48640efa9eed7be024521daf

                                                                        SHA256

                                                                        530630b270dc8ca0d3adeed9cfa1d0b80fe3b2c4f7df3d4654a2e8e03b76ef0b

                                                                        SHA512

                                                                        d13ac51cbdd0f64afe258c51e08b741f7ce026ed06a1ae392ae4b36440f01c43dca07f17ef80236e0c0d357beecc365cf6caf2a668b3b46c5cbd8d687ae05eee

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        0b90ecd52134764fc3aeb24eccd335a2

                                                                        SHA1

                                                                        d5a065a30360d70cdb87bd8e1ffcf0d588775ad0

                                                                        SHA256

                                                                        debae94e3becfc41d46f5fdadb6a8c167e5dfe8beae6edcf9d19f994458fbcc6

                                                                        SHA512

                                                                        73f6a0150eb039eeea675e7d187c583b2e7a0122a698bf2ccae54d55dc9db0c3323b748e9565ef881e0deda8b9db6bc8e8e5117df58f7cf2b33ea77b8e666a2e

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        5fdc01abedb7a4a5631541ab7c105bc0

                                                                        SHA1

                                                                        e47c2a3de83b54cac89cbd5a336d23e1bcc7fc34

                                                                        SHA256

                                                                        2fc902f57c495c79a540a8ebbda806756b28fbbb7accd7dba9636349ef1fcc6a

                                                                        SHA512

                                                                        e47f0da5cdcb003705d00d83dc219ef733b6a11183e50a0d2add8e2714e142d978566191c542a6436649bd38d82005c41ba4c5e7c81a82545e73e57cb6d3de62

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        701B

                                                                        MD5

                                                                        60bec04327f93548d1348eae2fa2baa5

                                                                        SHA1

                                                                        1d46ceedaede8675ddd13a3e68ca2240422be257

                                                                        SHA256

                                                                        879434601dc5051f60f6bd77474c299f68c00baccd10ed55ed34240c32386da2

                                                                        SHA512

                                                                        fada5eb623953b89583755f3d693e77a4fcb975ea21fc61ce79924a44a284b936f9252a209da50a0a71c1a4af0f393ed3c4257c4b0e827c59e79a0486e891ae5

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        f7ed0953aac01d764c63ee58767be4a1

                                                                        SHA1

                                                                        7dec9e52e559ec14a38b718fb59ad614226ef0ba

                                                                        SHA256

                                                                        e1e7e66a0b8cca7ba80a26783a6a23ad9253cacf93f538a1fe44b193839d07be

                                                                        SHA512

                                                                        0c41b2a98211bd1559ffce24adab06ca524c1fcb88d356f3e0f2b164566e8b9a80bdaac822520038e4dc732fc404e89f306be40bd4b79f116e6806f7d4cff2bc

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        217481daa5910240683474a9d6f2b436

                                                                        SHA1

                                                                        66adbe82cdd104eae88367d2c2b13c1f1176135a

                                                                        SHA256

                                                                        16cd0b0c5d8fb643bce05a24f5b3fca977810a38c6898c4d5cd841c27a6f6982

                                                                        SHA512

                                                                        aa087f6f187bfcce35de34a0ae408460662cc4c19a744ded7032ce6441e837b5206e337a3c51a72c382bd7e1d5fa4417d72766e6af070bb1d098351e4366c499

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        6a4d10b0e9c1447aaacbf2ea1a8e8159

                                                                        SHA1

                                                                        bc35fa48d3c95991795a64af9a0fe76cf5709a5e

                                                                        SHA256

                                                                        4abca8682d0c5c2f6344f70a2b02af07d7193a3040de0fc028374a825fcd8862

                                                                        SHA512

                                                                        60e417a37a49c7d6a3d047af9a85c8c22392b09ac0111dc1378b80b44f379eef194a52e2569c8063d3ed4e2d39c187ef728147e2655c3ae7eaaae291736f35ea

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        956b9b7f9ba6c11114683f2326283fc8

                                                                        SHA1

                                                                        d6d0b381afd92e425a925a3b5ba2ef20ad442569

                                                                        SHA256

                                                                        80aeb59902560bfe5f10f0bebb69efc0492560007a4915b66361151067cf8ddc

                                                                        SHA512

                                                                        ac255aaa14b8aa9e8827ba69dc858dacb4b42d562642ea514f819c244f6995441792d22dad16d64675ee52c02dc7a71b9d086bfc316edcad81cd50bd52d8194c

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        73abda65d13e58ba54e774f01283b11a

                                                                        SHA1

                                                                        e3542ca069bd54651673baa6f2d0540c3db2e967

                                                                        SHA256

                                                                        213352678ffb1794ab7eaef9f3195c46fbdc97abd34c87617be15bdd72764074

                                                                        SHA512

                                                                        37e005de695494700b4fe1f99574d4a0041d91341e781c06b54f43cb6cb20faf2c7213cc3e84aac4f4d159b38f131c597bf19d8c107376e30eec41ea9bf87aeb

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        ee20c271bc5f56d483b9b746567802a8

                                                                        SHA1

                                                                        ae48af09d5a20349252b0fef13cbf96adabf6e54

                                                                        SHA256

                                                                        4e49ab9e828a62b1964cf95de23651be5cbf57241ac2aba5735721606f0554e2

                                                                        SHA512

                                                                        b5d05dd3c92988f96a536b66f084ec01dc3fe8e57980caa8d78eea8d25373aa344fd095107757123e7fff71c562bdeb3479a07e7cbd4b1971763b0dff764dc86

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        4cef8e3e63be369db7fdba51bc0cce2f

                                                                        SHA1

                                                                        207ee2c5a076fa4ca6bd9e3b3acf45b3bf421f7f

                                                                        SHA256

                                                                        6abf6fea494e71670dbcab15b8dc0933169b83cae923b449ca6b36ec6cefdbc4

                                                                        SHA512

                                                                        57fb21f2643c1ed96e904f5c498fe3ec856ea63c5bb41193ad2ba39f0ed03bc5da3ab28febaf6859dd82ba30471c1e05cac1413456f05ed5a44cc22464c11f85

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        b4a35a8cfcae02e581fd40f045d6cb43

                                                                        SHA1

                                                                        46e514bf10bb10cf2419e9e9c62b39d59e1d01f0

                                                                        SHA256

                                                                        e6d2dde025572a86c74a86f9983703d4ff3a7c390d2bff2cb802633c8a9e9560

                                                                        SHA512

                                                                        74b4800272a53a6cda17523171e2242e5ab5b4418f85126f270c64c2360bb2f8171141b7451d086422beb44d7a72894c8a5673002968f6cb7337ae4933422e9b

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        dd6071ea9878ed4293f1339214a6716e

                                                                        SHA1

                                                                        5d06ba1638cbbcd5e8075782fdfe994092eaee19

                                                                        SHA256

                                                                        39c27d090ba52b5dbaa679084a6fd2fea8c2001a6c928d5f1e5c910835a9d8e9

                                                                        SHA512

                                                                        8a01230ff470d1383421e4f5e6b215501abeb279acd8d8c602c7b0091efaf78b9f521846c405acc75d54b024a535336d9235bf1fcf03567f70ff146320b14d94

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff40.TMP

                                                                        Filesize

                                                                        367B

                                                                        MD5

                                                                        559b75e0cfd9dc19231244a342dfc496

                                                                        SHA1

                                                                        f100a20e548f77be70183de68f8ffaaf33022319

                                                                        SHA256

                                                                        eeb0d40c62111fcf23bd41f66f85cecfb0633ddf39989137fd679feea8c63259

                                                                        SHA512

                                                                        eb3efe23f59573af20565853b11c98029f75f2804fc7a5588b3af85c7d94bff9250a509735a8e68d1049677e784c188e3bfab5503c0962f7abc571186508aca5

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c2aa.TMP

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        843d5be90ae0fe2960a385d58af6c81e

                                                                        SHA1

                                                                        d16964ba07b95e3ea0416935ef24d450cf9db909

                                                                        SHA256

                                                                        50ee1852acaaa67d00dd79ea1df9a8827771efc4fadae0268bf5130644ae2abc

                                                                        SHA512

                                                                        c92ca4192be6de1929440d5bac92f07a1eee52cd5dea7ca6beccb0361c8ed14e1f1ecefb4b3fd11878c0f8d2ebc1d43ac921ad19be2e38c36e10e970465170a8

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                        Filesize

                                                                        16B

                                                                        MD5

                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                        SHA1

                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                        SHA256

                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                        SHA512

                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        088f4c393feddceb891f5f11517d0087

                                                                        SHA1

                                                                        da5ff31c7bf803e2d3b4f5f531c9ce9e5e28de59

                                                                        SHA256

                                                                        530ac4d4ce2632c720ce52294cbcb121b4f7ecff79e4173670a10deca83e5163

                                                                        SHA512

                                                                        43cba800450a58189105862ff2894cd16286228a366ac05ff8667509bec7ea6c1642dea9353c0f93f8bdd369e458c9f3d32193abdeb98be420e0e1cb0423c743

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        eb45942655ca832f3f373709410b5a2c

                                                                        SHA1

                                                                        26a7130ab55cf314b99e9b02071de4035b3c3f46

                                                                        SHA256

                                                                        62c531380667e624f669d96b4019cab82ddb815a272ba341959cc4d57a69c692

                                                                        SHA512

                                                                        4e7e37ec1c3b1d041931899088a5e1567256abed264d786afcc86460b0e43aaa551569eda5b692d7737c6ac565e90f1f6d2a07e50205515bbdb0ce0335afdc08

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        c731f186b8038e225386b4df4a84211c

                                                                        SHA1

                                                                        7e14265c7b053c941b444b5f54cc4ce138c4e585

                                                                        SHA256

                                                                        9f72b3f505e2aca23e2e01b6cfde12f7c1e366faf6299b33c339cb33d921d844

                                                                        SHA512

                                                                        51583dc726c4ed3204cda23a1ae4bef5333015494f40260b46e4db31c6a445453e25dbef8e5e93881e43d4df20034adea1ad20420d121626dd32087bd6576775

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        ae1e9860dc34804cffe805b7ec8fb3c7

                                                                        SHA1

                                                                        e16e47bbdf4328b1fc8198f90a63024e06113e95

                                                                        SHA256

                                                                        9a8c9e7c0c0bc03d31a68490bf45cd02579c5e2ebdb956e7b62176f228fd15b1

                                                                        SHA512

                                                                        96e24278e6cb1a475a4d6a670dc200be99fedb36df41d77d317b95022f8c96e5e1d0ce16e102b2d1ef069fe689fc01d53c5e1696af83ce431c6183deb61fe440

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        e154ecd1410ab4a65ba92ed28ff9bb14

                                                                        SHA1

                                                                        a4654597cada9c83c8bd24088e17e16609c83982

                                                                        SHA256

                                                                        8a50b9aa9fb465e7bbdc425f0351fe6f86fb6557b29c68cd5f55f583d54d39ef

                                                                        SHA512

                                                                        3c7710e4c8ffedbccecd81369a30d957a8b5857cb1934255786f579efde7632dbaea51a6f70cdb88ac7f0d257483a60554048eb884178540224f64eeef4b9736

                                                                      • C:\Users\Admin\Downloads\!Please Read Me!.txt

                                                                        Filesize

                                                                        797B

                                                                        MD5

                                                                        afa18cf4aa2660392111763fb93a8c3d

                                                                        SHA1

                                                                        c219a3654a5f41ce535a09f2a188a464c3f5baf5

                                                                        SHA256

                                                                        227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                                                                        SHA512

                                                                        4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                                                                      • C:\Users\Admin\Downloads\Unconfirmed 421864.crdownload

                                                                        Filesize

                                                                        224KB

                                                                        MD5

                                                                        5c7fb0927db37372da25f270708103a2

                                                                        SHA1

                                                                        120ed9279d85cbfa56e5b7779ffa7162074f7a29

                                                                        SHA256

                                                                        be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

                                                                        SHA512

                                                                        a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

                                                                      • C:\Users\Admin\Downloads\Unconfirmed 421864.crdownload:SmartScreen

                                                                        Filesize

                                                                        7B

                                                                        MD5

                                                                        4047530ecbc0170039e76fe1657bdb01

                                                                        SHA1

                                                                        32db7d5e662ebccdd1d71de285f907e3a1c68ac5

                                                                        SHA256

                                                                        82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

                                                                        SHA512

                                                                        8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

                                                                      • C:\Users\Admin\Downloads\Unconfirmed 938327.crdownload

                                                                        Filesize

                                                                        431KB

                                                                        MD5

                                                                        fbbdc39af1139aebba4da004475e8839

                                                                        SHA1

                                                                        de5c8d858e6e41da715dca1c019df0bfb92d32c0

                                                                        SHA256

                                                                        630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                                                                        SHA512

                                                                        74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                                                                      • C:\Users\Admin\Downloads\u.wry

                                                                        Filesize

                                                                        236KB

                                                                        MD5

                                                                        cf1416074cd7791ab80a18f9e7e219d9

                                                                        SHA1

                                                                        276d2ec82c518d887a8a3608e51c56fa28716ded

                                                                        SHA256

                                                                        78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                                                        SHA512

                                                                        0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                                                      • C:\Windows\infpub.dat

                                                                        Filesize

                                                                        401KB

                                                                        MD5

                                                                        1d724f95c61f1055f0d02c2154bbccd3

                                                                        SHA1

                                                                        79116fe99f2b421c52ef64097f0f39b815b20907

                                                                        SHA256

                                                                        579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                                                        SHA512

                                                                        f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                                                      • memory/4392-5034-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                      • memory/4392-701-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                      • memory/4392-670-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                      • memory/8020-26221-0x0000000000A80000-0x0000000000AE8000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/8020-26229-0x0000000000A80000-0x0000000000AE8000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/8788-26201-0x00000000011D0000-0x0000000001238000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/8788-26209-0x00000000011D0000-0x0000000001238000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/9232-26231-0x0000000000D20000-0x0000000000D88000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/9232-26239-0x0000000000D20000-0x0000000000D88000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/22464-26191-0x0000000002BE0000-0x0000000002C48000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/22464-26199-0x0000000002BE0000-0x0000000002C48000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/37004-26156-0x0000000002900000-0x0000000002968000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/37004-26164-0x0000000002900000-0x0000000002968000-memory.dmp

                                                                        Filesize

                                                                        416KB

                                                                      • memory/37004-26167-0x0000000002900000-0x0000000002968000-memory.dmp

                                                                        Filesize

                                                                        416KB