wannacry | hxxps://github[.]com/chronosmiki/RANSOMWARE-WANNACRY-2[.]0

Analysis

max time kernel
286s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9EA1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9EB8.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 22 IoCs

pid	Process
1824	taskdl.exe
1872	@[email protected]
2296	@[email protected]
4236	taskhsvc.exe
1284	taskdl.exe
4672	@[email protected]
4820	taskse.exe
2760	taskdl.exe
2972	taskse.exe
940	@[email protected]
4160	taskse.exe
2132	@[email protected]
236	taskdl.exe
2724	taskse.exe
4624	@[email protected]
1100	taskdl.exe
2420	taskse.exe
308	@[email protected]
1768	taskdl.exe
2528	taskse.exe
1188	@[email protected]
2916	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
208	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qyrzxkvzsxw219 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
110	raw.githubusercontent.com
109	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3496	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674382821096110"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1ea7108c24e8da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000e16702e2212b5a357b9decd49a125833f14edd02e5c566ad16dd2e967a23994749ac4241eafdfcf605455948d2d9a7f58e015f53408235540c0d	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "5360"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9c08d88d24e8da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fba8978d24e8da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b5a52f8c24e8da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "1260"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4f7fce8d24e8da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "651"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "5360"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "601"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "23"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com	MicrosoftEdgeCP.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2492	reg.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1472	vlc.exe
2296	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4236	taskhsvc.exe
4148	chrome.exe
4148	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1472	vlc.exe
4672	@[email protected]

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	312	MicrosoftEdge.exe
Token: SeDebugPrivilege	312	MicrosoftEdge.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe
1472	vlc.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
312	MicrosoftEdge.exe
1968	MicrosoftEdgeCP.exe
1568	MicrosoftEdgeCP.exe
1968	MicrosoftEdgeCP.exe
3204	MicrosoftEdgeCP.exe
1872	@[email protected]
1872	@[email protected]
2296	@[email protected]
2296	@[email protected]
1472	vlc.exe
4672	@[email protected]
4672	@[email protected]
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
940	@[email protected]
2132	@[email protected]
4624	@[email protected]
308	@[email protected]
1188	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3488	1968	MicrosoftEdgeCP.exe	89
PID 1968 wrote to memory of 3488	1968	MicrosoftEdgeCP.exe	89
PID 1968 wrote to memory of 3488	1968	MicrosoftEdgeCP.exe	89
PID 1968 wrote to memory of 3488	1968	MicrosoftEdgeCP.exe	89
PID 1968 wrote to memory of 3488	1968	MicrosoftEdgeCP.exe	89
PID 1968 wrote to memory of 3488	1968	MicrosoftEdgeCP.exe	89
PID 5064 wrote to memory of 3920	5064	chrome.exe	92
PID 5064 wrote to memory of 3920	5064	chrome.exe	92
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 4640	5064	chrome.exe	94
PID 5064 wrote to memory of 3844	5064	chrome.exe	95
PID 5064 wrote to memory of 3844	5064	chrome.exe	95
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96
PID 5064 wrote to memory of 2728	5064	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4468	attrib.exe
1824	attrib.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0"
1⤵
PID:4648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:312

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff820a59758,0x7ff820a59768,0x7ff820a59778
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=484 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:2
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4444 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4128
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff63d947688,0x7ff63d947698,0x7ff63d9476a8
    3⤵
    PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5132 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3636 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3228 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3160 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3280 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3856 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4860 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5092 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4940 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1464 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4800 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5228 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1032 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4892 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1828,i,12437187474255149822,5419525126238123101,131072 /prefetch:8
  2⤵
  PID:736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2256

C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2184
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4468
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:208
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 37971722964739.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1824
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1872
- - C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- - C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:3496
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4820
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qyrzxkvzsxw219" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qyrzxkvzsxw219" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2492
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:308
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1188
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  PID:4204
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  PID:96
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  PID:3624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:424

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GrantSet.ram"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Downloads\GrantJoin.xlt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff820a59758,0x7ff820a59768,0x7ff820a59778
  2⤵
  PID:3628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
721B

MD5
398b2f7de4472294cce49238be04a057

SHA1
7be6fcee0710b8730932b0c1e4d2d35c6d2d4aea

SHA256
ea5d216e45dd2e8d8859f52556fd83140902e317e29095075f6a29a0798e10ac

SHA512
95b529c27d2bc5d2badd07653b21444ffd6b500d3b9ddc261eea0426fbf78b1d1e894ed4febc8d159c149a75669c258745143be0f9833d4ac34f250631fa38e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
acdad9483d3f27ed7e86c7f0116d8ad9

SHA1
dd2cfd176ad33d12ba7e6d260e1069b1dd4490c4

SHA256
bff5b4fff4b34ed3ea2754985b5ba1a8d6921517b0fa370f71f37ee0845552ba

SHA512
6e3ab4b6cfa73a7ad3c36fa621b1d2817b26e8e3613b78a40df6691d65e1486e6c2281efa0f8d3f30d2c6647b7ba3430a8be77df770f1cc575e8db76be6836a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
eec80bf6fccdb5ac6cb35f119c62bad5

SHA1
d00fd6a538aef6f1ad3d3be72802dc022e51c0d2

SHA256
be3b2a9d266177083f0f6bb7fc49db879270d4b0765e47032d957767dbb76623

SHA512
db398db252019227ba645d9918212208fbed311859c4c3f3e4d6384f43bca900518a572f5034c25927afa5136ee9e22735d69b1567ee8feb214ae61bcf4718fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
59fab8140331339232eed50eaeeaa655

SHA1
5296d3f9abc08c1dfc9f382b9af9e0c6d8f52467

SHA256
5e0dae58ed65ebd7937be4a9184a53c667c71c9d44520ae775d8735aef4b1ff0

SHA512
61b95fcd6637fe1618484ea40e27d618810316757b7b47354badcf17aeef3ca5a4a25b73139d01b857b569d5a024ee4da0dbfaadc00a2a9efe68839747f238bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
954cca8a55aaafb7488cabfe26a7d479

SHA1
46c9862c0bf54bd4ad4abbc0d965dfd87ceee1b1

SHA256
2f824b7f5936b12d410f8768d336d2b3e660ceef916034b59e0aef7061b48d77

SHA512
23009faf499d1865423cd7c237ef3133664e635f76e23d35d9a379f4b8d7ecccdac8c3d23a43dfa20eed8805dae3cb9c9d9157cca524d562e3905a1595edc70e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
01b480971fdad03bab7d7cbcbdaefe00

SHA1
2c88acf985693a5077d50fe648de69fa35f5c244

SHA256
3b7cbf6a961a1ec04f2684aae7cec67d76bb64815cd8b24846e77e3a2a95bfe3

SHA512
b6b026957e6e8b0d7307f677f07e1220db9d81c01a92278218197fb6dd227d32db1b0fdcc731459acee0c3e20159e7dca6c646291c5a90ea7d9ba7669c373234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8111328dc2bb2c5478c8cd693c30c8af

SHA1
164419821937b26421a50f6854f301bfba22ae4c

SHA256
634d67873d0eec894f79c4b32405f695789fc9fca7c0d0ad3a70c277a54f3b1e

SHA512
7a64260cb1d936eff78efd6826cd8db146afb47741a35fd747340ac5d35594510067016e0df21dcf70a48ac526612e833c11359b7d01b7b299a0d532e1eb3a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
99333011770f89dca30c4569ba680c1e

SHA1
03fd8f58dfaa96da2d1b3bae239603d25b1af6d2

SHA256
4aed95ba1677573efd01892cbb8c7d927edf174bf93100467e132b92c9efd396

SHA512
19517009a4a31323380ceec3a1573d6fdbddaad6cfbb215c92be20cc01027a864cf0de4316a98dc9c142393c46b3153880eb607704061d7b8ce2cc862bf5c07f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e41b1b76518637e6f29426cc971132a6

SHA1
943b1097b4579b47c557a17a79fc47ed6574710b

SHA256
9b77a1adc64f246a71508be1846c30adf250bf169486d2dff4c45fc32fe09f79

SHA512
548cc793fd66d4bc09f9444a9dbc28e400c4698852fbe983f67e0d929e2191b06cff42b900c900af0f9459ec00ecbee0c3945e3aef2fdef938bd2f1e43f11156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a0c09b55c0aa5cf62d7a07a0ad553ac8

SHA1
cedaac0eb79b88ed7f1a7c75cd1682451df079bd

SHA256
a83dfaeed4d99aeec9f525efd6b9c74e4ca2676de8d3dea051882011d329382a

SHA512
515ebb0f49b881fe9c9d409a49f5f23ad97101c10220e96761fae17b2a52458fb522c994b68fbe9d5067d6629aeda756cf39102ac836310ad3fa9221e8e81fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0cbba7ffdc823f95ab4465e249285bdb

SHA1
9380fc5b978f7480822f4827256564a8b283b314

SHA256
4b7c39c76765295c9de2f63c6b7867ab3255698b57c5f83c5e884da0488a7bf9

SHA512
4224cc28d5fc9701d900687101168966d1a573ce638755188c82cb8690bcaba7ba5b005e67337b924377b59424675fc7aa4ede07fd9ee6946d62e491323ac0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
593239be1c263102979783427dde7a1c

SHA1
34ec6abe28dbd2871b2db17134f6d8149d8b7bed

SHA256
226f536321ed6d55622385fa3637a430aee0d3de998ce96efe2e0cbfb52f9e1e

SHA512
09da0ed89c443a7044d6eb525733e9b5c6c852d942235bf8764b52797e0b7484a909f52e447fd1a928cfbfd6fcb7966289a64336ee6e01b1409ef0ce345ed0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0e3dd013b1a4735a4fb2a5cae8963903

SHA1
f6b78ddb4596790c7822d91ac6d350731457a7f5

SHA256
78fbf3b78789870ddcb131fe339dd4c386e6a5330d8072ea2aa77cc0fb39c730

SHA512
deed35339cf8c3c3cac7a8d904b4ae8ca0bbe8570f9d24438870180a7ad653fff3f7631a5b7a3a5c36980d2087b6830f9cfa84c7af4242d162f425bcbee47524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c3988ebd9f8cd276e9e12ce78e56581

SHA1
d0fdb898639a608fb4632137f2b7496dcca2383b

SHA256
de8adb133765fbe922f48b5ce2f3b0624d745031419bea73250b59a4e680e1d4

SHA512
5a3326d9215a198369e247dd89b2edb2e613c67d87767847c2caece8f9b0102f04402a319e8f160b70cfb442dac20946b5374c4d67afd493e3df9a243f1e24ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0ecea5b7313e5845da6101a3fad46c27

SHA1
53005fd875b6017405a2eba5ec1c1c7c5d1ef138

SHA256
fcb6f0c0fc1a309e8b6ed30de9e4e2d42b7b2b2f2a0cb5105c1a743cd7dd5bc8

SHA512
70d70f635e0cfc1a46f5e559a4ebcd73674054ecd3de0fece538859db41d8d7223ed4adb2ca2cbe908a4a66c23cf1fc325bbae2de634ad3003a6c45a353c02dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3fd9633b31c54e62119dff7046a15fcb

SHA1
9f5fb7723e5a60cca379b083a12e797d7b8ee9cd

SHA256
afecb74d6ca612a0e294ba804c7694f9ce36423c3d0c2922681be26c88206721

SHA512
64167b357ece72958e9aeb8c0951bfe97706d952c15ea7a8cac59ebf2ac938905525c4b6e177e8cb2ec562785bf92513a3ac0c2d13a32f522d74d6dda5f0d2d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
955884623f5ee47290e5b18f12899449

SHA1
bf4f4692833d65b5d964670f6e0a896dd5f09ede

SHA256
1c54b0268a02dca40248670a6958ddef6cb24db43bae63dc89583187cab48503

SHA512
01030f53efbab873acbd2253eeb52b5e1b50d0fecd1eb9070f2f3de16b5532b5d86d3609f039593435b7cfe01cc09895f1e06884c1e9a686d36834059b2fe292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f014b29ce03a8bdd849223d8869ac614

SHA1
944cd34e12f85b1739a7fec7069ff7608e49e305

SHA256
c0a0e63ac8f7e996fcca5aec3fb3bfb0ce66544ddcd41eac19e5f7f1a4264603

SHA512
ac0f9f4fbc6cdda3123dce880a3a63ade11324fd2fbe0dbddcd3cc4ace9f7d0fc2bdebfeffa5f3a2209040b951f372d1fd757e0fdfcfa5dc877558f5bc87a11b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0ac2d92e0554a3f9e44d6273b87f0173

SHA1
fd091b4f73ea3324dc32a66d7d7ad52135a0e8a6

SHA256
693faedcfafcf238c5c7f6e32592170e413588d6521312305fb19cb8ef5ce920

SHA512
5a8c84bc5d42de83668324298cccb465ab7032f50c728b92fd92d635d261d1c3348b4caf771c09d50aac621268e17c426a5557f89557fdcc954d247da0409b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7f96e56ffcf5b5142add538f6acee97f

SHA1
725e871fb132fa9dd8172049772dc1b69c364d11

SHA256
188bef3ecdab512e239f125bb4b03cf2b526405255e48717c2d6291fe161d926

SHA512
1d5a4160220e5357c4e0a1c97205553e2157df8a1dddc4f058acb4d702a6d1df15a53dd67ef8b519a532d21e344e311e9921719cb2213204a80c5ff0f6bfe2b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
29bda1ef1e668fdc6fc82840218130be

SHA1
6384aa3a983708457ad39e262549311168e8729e

SHA256
b6da6b1429595775ffe289920eda8713148e86cf666b0820fe1f9043ee39d836

SHA512
b06acb1cb1bba4e9b1117207010f3890d12fa7fe334bd2391f12ec153e64e0714928ed3c25e8016ec1609d746935a6422b6ebbc7082734da09824f695a11e59c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
16fc5495e09530d65fb55a8e52089590

SHA1
8062a2599f8d437971b3d77c3bc91796450343d3

SHA256
f34ce04f9d06d503c786eff4d554077c0208914807ef2118bd9fe5969ed363a7

SHA512
3b169b32b2cb1c96b2460908bba2bc9e71cdfc89e936b5f66182b4a25bf31b6915ccd17b9a8ed918f47bd36bf7270f90a61324a881999b18eb3eb5fc08ef31d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c82b1e9a2c51785aa4ec782e63fb01f5

SHA1
d3ccc6833b0842a083d06cd495fca440517a72e4

SHA256
88698b8c04f297ffd3e4fbdbea2999192e2569d87ce5454186b7f4614f6b968e

SHA512
b5f083b0f9134754edc8caa06c8eb3856f10beff76027c3221c31f55c16aa74d0f2b297fb62c47d663c4981c0bc588f5bbe5802188d34d0bc6354fd3842c0a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
84f88987704ef903e696ce9dc9a07802

SHA1
e274e627f65884374d6c12a61ca9f209aa144834

SHA256
1e5738e102fb34e73b541d699ace73e740d3456988d0097ab0375f9fa46cde01

SHA512
4b7b3a0fd0ee5e91e81aa4b55cb756b474c1bcdcddcd90db7cf8cb1a5c5b0de625a7da8fc59b57d22c807e9eb46ca0607ed45b3443283c6a83cce8f34fe8e035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
293KB

MD5
23c996b6f55706fe391c686347adf70e

SHA1
1b40813d2508ac64cc3bfa2d18af334e8fd6a64c

SHA256
a681293579d68f7a12e6389f258cdf8f1a02e0f5ea88e0fb994b5e9abca5ce1c

SHA512
8b07183a66466487ffb667eee0354cf086850021d83eb8e622be8b14bbb4e72cf39917334d4cb985ce76c2f93b08dd2e367a80c7a6592051d6ee0d986c41da5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
294KB

MD5
b9f8a603bde2ab8e4401432645f6eba5

SHA1
c3ec6bbbcfc5fecfa2f085a1ad6750a7bdfc5bc3

SHA256
7639e93a0a07613123173dd27c87b063da24470e8c44203f1232d0fca7ddd22b

SHA512
00c1d48b6a07c86a8fb2224915a3eb627c867cf9a732d18eb26d8a58109ca55e24404e903d4574198ebb14c128c2afe478e3687a27d7fe01c7b4f1c29007afcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
293KB

MD5
4ffecb4e686196e158a0a9fed06c9202

SHA1
12ff9abecffad531b2709f4a359b59e832f683c8

SHA256
8558fb260416a60997d59195f259a7db3e74247fdd8cc4798eb65b518239eaac

SHA512
f491d357cc1ee41ae0c6a67bbc68ade18412ff616ca09d6aef041abd4d878e0c8d8a1505e8970e17be3ce98bad981b550a52938a5d9597497a06ea1ea3d7aad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
338KB

MD5
e1fa9a99b16ec8569ba1590f8c8c6cc9

SHA1
746b9f1997cff7396c474a613d2e1827c1bfdb75

SHA256
9eda6e086b62aeb24a7b5fe9d6faf74cefbe7ca399f80fff498821df49fe1aff

SHA512
ba8f7381639adbdd231a625a85bee5274d4d0a48c6b4282d1601cff5f6cf76e86aa6f02d06b79a9e850dd058782586a4dabc81437a624e6366bbf9637f644272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
293KB

MD5
9a8a05c803f3fc771b48fd1239b3312c

SHA1
e9dfe7f915e03fe57f87ff7eea8693686ed196c2

SHA256
4d48dee1064f2f4e3f84e663c16f74f0819d19a9a5610fcc843afa08faef8fbc

SHA512
518388ac1173d934cae9fd34851552288fb58b914add80e7c61b80cca7defcf2be73d8308232a1e3338fcfa64add4f19ec8b875b12b907a1b928e4cae1786c3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
bf5b9c059b875cde937b79a60cf20f60

SHA1
7e0c0e891b7fd1b80395b10936d646cc89b048df

SHA256
d8ea6f260da7379153634764eb9eb7cbff7c1a647cd27b01feee14a64f8ef12c

SHA512
a1d8ba27c1c8c00a7573fa42a2ddc009cffb34731b5ddb47fff8074f8a351c678dc2d2c74cc2c652abfedf99f0ad2930515092e3c6eaac5ffdce1fd674c6804c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
73c583ee587c77338fe5f47df079ded7

SHA1
e6b86bb8aec0895c861eb601717d23d1e7fecbfe

SHA256
c6d4eb53b8fb8c090d019e0365a93c3703fe981238f74a188de21af7051ace7a

SHA512
f3552b2048775507131e94da070f1c5c46b6293c8c0cd2b3bc85dd313bb43c3f2271f47a8d463137f9811ccd2961961668896d0d3b7b3da4013360fe8b891975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
d18d13762b735fe8012ee5429d37d7f5

SHA1
f9b61ecd3e1e0aa4566e5718cca810dddd8c3bf7

SHA256
4e36891fbf05b2e562dfef4d62b1bcb5dae66a5b8fe303a6e5635f6487b7f197

SHA512
8db655ad8756b7ca69c34f8c135aa24336b1fb38386141161506e7f141805c1ce967ab26a7d879a15dc31a79617ddcac156e18b9f97fd47f1326d0be508e6420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580bd2.TMP

Filesize
93KB

MD5
cb6d518b957e2be8f1f61f27cf7e82bd

SHA1
74a639da7649b5a2c7c1df9869e7f5af302e1bcb

SHA256
623fb408c0a8437d630e2b1205f918c788f0e0937bf6babad19fced206fc67e6

SHA512
51a1fb4c80cc5749dd86a460d778ecf22376b204176e6a27d2e5e537be10309743f6aa1a54e0b00f108cb0ae5cf5a1a213a29d5172019ec782b7f93bedd9d66c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\327MMZJ1\www.bing[1].xml

Filesize
1KB

MD5
5e77ad032979e7afdca92c8dcda518e6

SHA1
4204591d3f53d70919deb00f4665f1a5d26a3808

SHA256
d8bf93b26fc62c6294f928fb7d9a4ab8d1797ae1c698bf278ad43b72baec876c

SHA512
6147c9ef0b1b1ab1b6c6a2f9886179105a52f8216610a9f045fa9133d79a97fbe04fbfc11d62c264ddc6cfb6fb8ae7221e741e1c59faa52f3bef3d9c0537bf7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF0ACEA06A699E649A.TMP

Filesize
16KB

MD5
d10667cb43b8f26a9490c1e1fc4079fa

SHA1
5ca1b251c0acd007d731a7b858de10906a7ddbe5

SHA256
a82ab3a13526791aff7954ff7ad9e43d2d7bc109592af545eebec6eb961c8466

SHA512
0091c9f1a28a90af6fcbfe4619857f16448d5bcf33f5767e2e4ecbfe6d1165197e4e4052090928cca6a1441a18c2c62e47f502972bffb03b343c724458831abf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5WUGZOS6\dark-6b1e37da2254[1].css

Filesize
48KB

MD5
96ba1deb375c1c66bb092fa0a1765be1

SHA1
03f188ec52d09882b8403ed57d7aa73a224ddd62

SHA256
d6bc29d6a4e33c7f4da1d4b8060cce6dedf384d7334b71661c277e985ef8c156

SHA512
6b1e37da22544d5626c6f78691a8d8f723c49c95a782f5195f4b00b0e1b9d4408402c25d5915e097ef31273c3c8d06d81d1ba1bb08e12677941b8b1f24d92848

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5WUGZOS6\github-4bf1effa8118[1].css

Filesize
125KB

MD5
418283681ac0343ff1b0c1799d220cb5

SHA1
caf0bb7f706325a884b240f939e148487e2e3511

SHA256
a1eb4fa6aa620527b4814dbd830f71905c40595e54301d132c47ab69a9f654ef

SHA512
4bf1effa811897e902f0fc0d73bf0251ce87bdb64d85d2fbf2e4485961ee1a85830dd6b73d23d2925442e9de2b1d7a14a36236db4e1b7ed7ea9f5cc6bd58c3d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5WUGZOS6\light-efd2f2257c96[1].css

Filesize
48KB

MD5
b8473fdb0f4749de99341662aec850f2

SHA1
f593c957a26528558217837aead34cf718d27443

SHA256
8aabc55d211fc93acb563c9cf30732577212a998196f73b067f9795c8d1ef72b

SHA512
efd2f2257c96c12eba6da741c677030ac63c34a925846080ec606e5a974706726479bd5babea6dd0ac7e8e421704263787986fb07a9c384994cf403bf8bc3dee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5WUGZOS6\primer-primitives-8500c2c7ce5f[1].css

Filesize
8KB

MD5
e9c08b9ba681ad6606bd18f264e73ef6

SHA1
04d1e96739d82e07587f10bd2d953c8e70b93d9d

SHA256
b08c9718118f5b814e632ac3dc0d8e009e5dc2913df183f0ed322e6817e997df

SHA512
8500c2c7ce5fdad5fa01aa92156964108335c704a127ce290d201395009914c814ac6e08a467e45d1ca0fc75b2269b7f09a6d437939d91c9513c659a80cf472e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IWYI2D61\repository-992e95451f25[1].css

Filesize
29KB

MD5
ba1468dd22fb87a14c2e6e2204531deb

SHA1
ade22d3c001f90fb4998709fa1062c2964742ab1

SHA256
d47b5116f66ce8d8840e44fbcee18453ec46cd6a12f863308a1f456380c35707

SHA512
992e95451f25275a9263e398d325f64591772d9ac887be883b8ad97e09008bd31a0e2f59f62c0cc97a983cbaba7b20bd4ae49748a834c1862323bac59e318bf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IWYI2D61\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_smoothscroll-polyfill_di-75db2e-adf929d695f3[1].js

Filesize
13KB

MD5
39c9822240af7e9d31ad72836ae90bf4

SHA1
809afb6b10419a3429466a2635da80761b91106d

SHA256
a9cf8d3f90605df1ede183ce15eb836e9211fbb0014b0c5ea282942fe96866b0

SHA512
adf929d695f38240a78c0dfac2b5a59a1bd8d78aa1f3b122daa8b3eff311ba441f29d11574934d7bce7aa25bc04b15807f53f9e47aeed1ed865cfe26d3a9ac92

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IWYI2D61\wp-runtime-049036b9cee0[1].js

Filesize
51KB

MD5
5c8cd9c5fd4142632b015f162b2c10e0

SHA1
7cb99cda1a14aa547242a7770182120455c1f6e2

SHA256
47131ff919909509b6134a68d192e9cda7cd154e97465dbc1b5d096be463751e

SHA512
049036b9cee04874d40de5ee6621ce050b14a9c1d47f59f72a966fae950c05c0e17bb5012f1a14936d5a8611888facdb59f1430bfa9ba096cada25f91d53dae0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSXCE75E\global-9b11316cc1a9[1].css

Filesize
285KB

MD5
68508cc0abd9601cb4b9b265b54c4d2d

SHA1
e8fc30fc6eade183a9b0a94426bdf91f3573051a

SHA256
be2caa1c0ba8df9d5ebd7b121e0bd6ef0cf1821ec9f6d0dcbb000e93148c37b1

SHA512
9b11316cc1a9162d64be95e448a37f11610a6bf7c92052b1cea89e2b097cef72ba54796c2c1b7896fd932842247d974f8ad2961d64699b26b86d31c6e6a4547e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSXCE75E\primer-38e58d71ea15[1].css

Filesize
333KB

MD5
69a61dc716e08413491c664cd61c2a93

SHA1
9d73d2222720623c57b11eaa90e296b743cb3058

SHA256
5be84dff60d0b63e2cc4d21ba3742d1d22457187fac848569c15300b1eb412c6

SHA512
38e58d71ea150bb7d19051dd0d47c3342c4b608f20111e501c1e572e234f9584828bf87dd9ea7c25fc4a30b58a08f77780163b54cd7d34de2665657533405075

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSXCE75E\vendors-node_modules_dompurify_dist_purify_js-89a69c248502[1].js

Filesize
20KB

MD5
36f04458790e19bb99bd77a1cdc16295

SHA1
8f25cd75135fec8c088728f53d39dcc21d375fdf

SHA256
cfac43b55a6b86258b9d3495eff18f26f598313a14cf76a3dbb1e3e7fd341f00

SHA512
89a69c2485029e3393d81637b2eeac776d0765835e6ffcdddb1394f4421c5236b5cfee873568736d8a233b6c9bafe6ea828d2b718133aae8f0d22f220165fb9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSXCE75E\vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-56729c905fe2[1].js

Filesize
9KB

MD5
2eb9961e08f81bdca617ddb67c2fb708

SHA1
15cb6d7ffe93324b38bb62bcc4ff14d1a57f94bb

SHA256
0f2cd40ad364711db1fee03cf9f6ca04fc56f5c3ba497dc476c5879e129d968b

SHA512
56729c905fe263a6b7978bc67c09b8dab69592e21aa9addba78866790bdb2dbd85e41e6a6663d511e73a8edeb75933b549b3c393a465748790a6fd50b337cee9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\RANSOMWARE-WANNACRY-2[1].htm

Filesize
268KB

MD5
c6820dae1363bf3912317e6d4e9f0fe8

SHA1
cc951285c8e51e03ed3102e8a6356976ef8073bd

SHA256
a58ca0707fbb3b80e573c3f10bdaa418898071e22fc9f1f2229054eb10a9c830

SHA512
dfd3a23d5b2647e00e3ba58e23a55b31bf4dd1645e0a76232d7f872b8ab44312fd7ca51fd6ee615fdc9456bb6cba34f891ca26819f3490345a8ad380faf04e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\code-34406d39e629[1].css

Filesize
31KB

MD5
ee14556fc6c8c5e35d7acf63edb7c840

SHA1
6e106d8fb2bcdbf90a553b2db5ad3faf8b5b1d35

SHA256
e98b22b626274eb24481f138c7aed6681b3ade70d4427bc0cb05ceccd9ef4a61

SHA512
34406d39e629a65f5162757c5142f9b02149d2d18caedf15a528315a5dddccc86f3445c852f7e42a2979004b3c07ffe62c1b0c13cf5b60f6b8a06e5836027b67

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\environment-bcaf5ff1a8f7[1].js

Filesize
13KB

MD5
9fd9c45896ee2ca1ea5c306a8a0d1c58

SHA1
9113ec322802ac10f6874167e2e100a2b80fc93c

SHA256
43db7372eb07401197193ce723ddc6c30a579f5900b75bff41e71a53bb2ff9bf

SHA512
bcaf5ff1a8f71b465358bf7621d2f0d5d0df9fe9d2426195968b74cd9acf011a332dd76eca662c9a71108993375549be7665da88ce76e4236207d60967831339

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_clipboard-copy-element_-782ca5-54763cd55b96[1].js

Filesize
8KB

MD5
80708c39dbd42e80616bc4a61b51c1bb

SHA1
a87eb08671b07a1c2689a6caca2486727af9ae3e

SHA256
10e085fffc04da9cbf0a46c8a6e120d34947c4ed859f05e26cb0abaae312e094

SHA512
54763cd55b96117e15652c12e9ca5e8ec71e58eabbd9537a7e6c833ec124199eae23091ef59275513f2cacf055e9ae69d7683474fc31f81ef823578118c462ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-b7d8f4-2355048ff048[1].js

Filesize
18KB

MD5
c6175500bbb3bf8dc98aa0d4229caab6

SHA1
59fa80835b3a054500c80573c5403dbe3b6c72dc

SHA256
936cc4f56aef6760208636c671f028f76a6a896b1a113df7f64b4fe10ac9cbfc

SHA512
2355048ff0483d1b53126ffa8506d15da3baf9cac2570b99cf6c1d019b4702231500ec72485e529b4ab8250631e664d080818ec91cf9339770528948489f92a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_delegated-events_dist_in-af795d-6b8acebb2278[1].js

Filesize
25KB

MD5
80e14683f48a20d0dfd6ec5e2a5f9061

SHA1
6bdc4222ff5868b5299fb0bc76308113d1219e6a

SHA256
d6e059540c8e0d2c5ce758814b414ffeececa003523b3f24fc3dc973afc0107e

SHA512
6b8acebb2278d1cb6289f583fb8479f2a77150360b995475317e88c8b698077c47f4cf0a62fc256009a973735c04cd86df29248067749c8b75b287d3576f8a94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_github_relative-time-element_dist_index_js-f9b958f5f2df[1].js

Filesize
15KB

MD5
46afaaf3a6253f2ce9568db9e301ec8a

SHA1
b365c36e165567048bad614c98baa22bef4b9b91

SHA256
7ef807f7b9fe45ec17faa06e235c7adac46227f7589b91653fe4e0ae3a7a0ff4

SHA512
f9b958f5f2df5e85cfb021de43dac548c271eab2ddfa4463c213d7bf311b7ea3b7b93b7231de9834db884bbe53b012b3a1dde85eef9c6daaf46609aeb446fdb4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_github_selector-observer_dist_index_esm_js-f690fd9ae3d5[1].js

Filesize
9KB

MD5
e131f8c9b77918aeb94fd82199a423d6

SHA1
71eaae086cd44a8904f39d27fb5387bb957976f0

SHA256
01f9a0ec0bb24312ae0395b6aa238f8d910dc35c08ef5a25a1e9cd8feac83c32

SHA512
f690fd9ae3d5a240e479fea97ac82940f136f3f2e0262cac840345f2b956123117ca94424dc354d90d13f1c0169c24b19526505bb2fad70c8c364899474a9495

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_github_text-expander-element_dist_index_js-cd48220d74d5[1].js

Filesize
14KB

MD5
69f387b852329683c3f4856ccb905f60

SHA1
a58ffa40abbb4c6f5ef0545c1ffb932c21d73cc1

SHA256
d9cdb2e9f9c648237f22c43f8f12e85d8944c75ab325352059c3e53516635167

SHA512
cd48220d74d52b956312b2c59ec764d2d559e73c51789f9d649e108925f79ae3c910744161904b2840894bfcff64507971d5a19f921e5190a710bda4eceb63e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YMHXVVT6\vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-c9086a4fb62b[1].js

Filesize
8KB

MD5
19e28fe2dcffe5582e6352b53d0b22ce

SHA1
1e656d3443915c4e4bc9782f4366b4eebcf45720

SHA256
345e3daa928a64bc11b3778cfb36228d0025c260defa0b78e4c0ebe66c419737

SHA512
c9086a4fb62b90cd43e0a47621528a23582de79c4bdb1b2eac386f8e331c5ac891aa69975fdfb487a4cf508852c1c3ebc2df24e00ffca5443fb6e22f3b3ee99c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
16939f471f5356716cdafe74dea7d6b3

SHA1
bea3c097c794384960a7b21258b78fdd350dca0c

SHA256
21f92d288fc0ec0d2a1ab9bcff8884bcba9c637e9a810c3eee3e47e34ac3e485

SHA512
956119105e4334640f635866502c7e347c8c4d8fafd688a2e1397ebdaa92850d46e75823183ce856c28f5705520b71113ff4b80204a393b85758729c2134961d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
b5ab17d4f916b16f107429fbd0724c93

SHA1
39b2c6bd172c89440129f35b481538eb6e7dd54f

SHA256
cd67b64ae69f04d81477ae47f5fa7156d56a698721cd4d3e5e0ade91734084e5

SHA512
788dd105a5bb65532e3dd64f8091481dd7e9e6d37ff897fc1ececfd23e41cbd1065b79d583713cd035fef81ee677f22cef7aa969641826b1c222ea983481f9aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
978B

MD5
fcd451d100451b87ac42092de358782e

SHA1
f701b9bc3fff61891b31ff0c826f33c874831384

SHA256
116d2c6230b40ac3a295209a862f90abb051b458d16f0a5cbab293935c6e2585

SHA512
1fd1ea3cd1d740d1ac9a25cd48dedb6bea007c89702de2799357a784680f60f649114367d9cbbb1f001e8a9edfa5c9301b00b30be5c63202fd330839be600062

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
1552f9b8a64e6e395e706081a2ec40c4

SHA1
60cf77c7d1d0b4a0dcdb54235c3e9eca06749a39

SHA256
14e8c246e0e37423eba856d3f565118c3515a2314ee85fe4c182aa135a54a55c

SHA512
a8521a6cec794dd82f65d4ff4e77974290aec4d0fdcbc12ebe90f406a6f13c1d0d4c5497ce1104ff064e1e9e0a445813786e924dcce636dd171dcba45ed2877d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
cd3cc7afcec8c5abf8c1c76a9aa67759

SHA1
febab510a6e180c97f3868167e2a5942368adf8e

SHA256
739bbfb6816be7ad4af8bb74e8ee1786df7fd3648d0a06f347f2d423083b213c

SHA512
c1d43c01781440527208a78cd1facbf3a01f5b5dc113812841ddece3a54580d52e52c68d7e13f396edc87320b9df77ddf3e05bc44dbb6dea5eee300c9827dce0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
706296b73e9a22c8bee580055abbc63a

SHA1
5130f583fc73fb9ac4d9f8f52d1ee5cbb4520d24

SHA256
6735cc3584c6d3b165441070775fe6e83b0982216c53a689f63da7c50abdfc6d

SHA512
37f4bf9cd225f5fca5be9e9efc644f77d746cad7bebe5668358dd368cdf6452b37c452d0511e7760df82f401f748053960f8102d5d0073bbf9938580d2b89260

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
602244371c31412f0b3d1443da691236

SHA1
426779f7b9f439404792c553f4c38235ca795998

SHA256
3954078fbbd0c227ccc3c2ca0088c6f505f11710cee6060df4276848fc8c8d0c

SHA512
e853082b9004aa13e39a3196117abee6d92bbc53b2a77e55e51ef84ba898a15db616b5ec6e8cbba3fa48059f653944bab3a8084ef51c90c760fc1b74e37524b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
0de02aeff1e84033adcc2ee5d358f58d

SHA1
f2cc178eb098a3867a37e64fb4b70308b8a2fa44

SHA256
f6b392ef5d0e9e6b23e14203ca59755a4d73e9bf2eaa3124bcee3ed11b00f823

SHA512
dfb46659f0b91e4282f9cf4515aa2a179379a6ddd9826910ec310eee60f8fcb7996c29ef9dc06b56f978b83dbf4c0b36efef48bb3bfc46b9b87d2545dff947d7

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.3MB

MD5
159d3a738d1a2b703d3ab20236011e4c

SHA1
e12b17b82cf6d9a27f865cee82fd449159d60c67

SHA256
aaf4059d62394f07bbe30481d6c7cea014f3afebe27694509f625cbd1c548041

SHA512
66d8976cb72635342806eff5c7ef52dc39692cd7b79af6aa08861a901596f8a0a38a9121d004314e3b5b3fda7475a571e700992a63aed231705f7866326b9ded

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
memory/312-315-0x000001541C930000-0x000001541C932000-memory.dmp

Filesize
8KB

Download
memory/312-16-0x0000015418720000-0x0000015418730000-memory.dmp

Filesize
64KB

Download
memory/312-35-0x0000015415CC0000-0x0000015415CC2000-memory.dmp

Filesize
8KB

Download
memory/312-322-0x0000015415CB0000-0x0000015415CB1000-memory.dmp

Filesize
4KB

Download
memory/312-318-0x0000015415CF0000-0x0000015415CF1000-memory.dmp

Filesize
4KB

Download
memory/312-0-0x0000015418620000-0x0000015418630000-memory.dmp

Filesize
64KB

Download
memory/1568-44-0x000001CA1FEA0000-0x000001CA1FFA0000-memory.dmp

Filesize
1024KB

Download
memory/2184-688-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3116-62-0x0000022BCC500000-0x0000022BCC600000-memory.dmp

Filesize
1024KB

Download
memory/3204-239-0x000001E0CA930000-0x000001E0CA950000-memory.dmp

Filesize
128KB

Download
memory/3204-231-0x000001E0CA6A0000-0x000001E0CA6C0000-memory.dmp

Filesize
128KB

Download
memory/3488-278-0x000001EFACA00000-0x000001EFACB00000-memory.dmp

Filesize
1024KB

Download
memory/3488-291-0x000001EFBD0B0000-0x000001EFBD0B2000-memory.dmp

Filesize
8KB

Download
memory/3488-289-0x000001EFAC5F0000-0x000001EFAC5F2000-memory.dmp

Filesize
8KB

Download
memory/3488-287-0x000001EFAC5D0000-0x000001EFAC5D2000-memory.dmp

Filesize
8KB

Download
memory/3488-285-0x000001EFAC5B0000-0x000001EFAC5B2000-memory.dmp

Filesize
8KB

Download
memory/3488-283-0x000001EFAC4B0000-0x000001EFAC4B2000-memory.dmp

Filesize
8KB

Download
memory/3488-293-0x000001EFBD0D0000-0x000001EFBD0D2000-memory.dmp

Filesize
8KB

Download
memory/3488-279-0x000001EFACA00000-0x000001EFACB00000-memory.dmp

Filesize
1024KB

Download
memory/3628-193-0x000002946D000000-0x000002946D100000-memory.dmp

Filesize
1024KB

Download
memory/4236-2323-0x00000000734E0000-0x0000000073562000-memory.dmp

Filesize
520KB

Download
memory/4236-2326-0x0000000073490000-0x00000000734B2000-memory.dmp

Filesize
136KB

Download
memory/4236-2325-0x0000000073400000-0x0000000073482000-memory.dmp

Filesize
520KB

Download
memory/4236-2324-0x0000000073160000-0x000000007337C000-memory.dmp

Filesize
2.1MB

Download