wannacry | hxxps://github[.]com/chronosmiki/RANSOMWARE-WANNACRY-2[.]0/blob/master/Ransomware[.]WannaCry[.]zip

Analysis

max time kernel
212s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAB1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAC8.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 16 IoCs

pid	Process
3352	taskdl.exe
4320	@[email protected]
64	@[email protected]
5672	taskhsvc.exe
5680	taskdl.exe
5560	taskse.exe
3424	@[email protected]
960	taskdl.exe
4292	taskse.exe
5548	@[email protected]
4128	taskse.exe
5096	@[email protected]
5556	taskdl.exe
3804	taskse.exe
5964	@[email protected]
2840	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2472	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tonfimrlm190 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683237295735891"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2848	reg.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
1128	msedge.exe
1128	msedge.exe
1408	identity_helper.exe
1408	identity_helper.exe
5104	msedge.exe
5104	msedge.exe
540	msedge.exe
540	msedge.exe
5972	msedge.exe
5972	msedge.exe
3256	identity_helper.exe
3256	identity_helper.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
5672	taskhsvc.exe
1480	chrome.exe
1480	chrome.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5080	WMIC.exe
Token: SeSecurityPrivilege	5080	WMIC.exe
Token: SeTakeOwnershipPrivilege	5080	WMIC.exe
Token: SeLoadDriverPrivilege	5080	WMIC.exe
Token: SeSystemProfilePrivilege	5080	WMIC.exe
Token: SeSystemtimePrivilege	5080	WMIC.exe
Token: SeProfSingleProcessPrivilege	5080	WMIC.exe
Token: SeIncBasePriorityPrivilege	5080	WMIC.exe
Token: SeCreatePagefilePrivilege	5080	WMIC.exe
Token: SeBackupPrivilege	5080	WMIC.exe
Token: SeRestorePrivilege	5080	WMIC.exe
Token: SeShutdownPrivilege	5080	WMIC.exe
Token: SeDebugPrivilege	5080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5080	WMIC.exe
Token: SeRemoteShutdownPrivilege	5080	WMIC.exe
Token: SeUndockPrivilege	5080	WMIC.exe
Token: SeManageVolumePrivilege	5080	WMIC.exe
Token: 33	5080	WMIC.exe
Token: 34	5080	WMIC.exe
Token: 35	5080	WMIC.exe
Token: 36	5080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5080	WMIC.exe
Token: SeSecurityPrivilege	5080	WMIC.exe
Token: SeTakeOwnershipPrivilege	5080	WMIC.exe
Token: SeLoadDriverPrivilege	5080	WMIC.exe
Token: SeSystemProfilePrivilege	5080	WMIC.exe
Token: SeSystemtimePrivilege	5080	WMIC.exe
Token: SeProfSingleProcessPrivilege	5080	WMIC.exe
Token: SeIncBasePriorityPrivilege	5080	WMIC.exe
Token: SeCreatePagefilePrivilege	5080	WMIC.exe
Token: SeBackupPrivilege	5080	WMIC.exe
Token: SeRestorePrivilege	5080	WMIC.exe
Token: SeShutdownPrivilege	5080	WMIC.exe
Token: SeDebugPrivilege	5080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5080	WMIC.exe
Token: SeRemoteShutdownPrivilege	5080	WMIC.exe
Token: SeUndockPrivilege	5080	WMIC.exe
Token: SeManageVolumePrivilege	5080	WMIC.exe
Token: 33	5080	WMIC.exe
Token: 34	5080	WMIC.exe
Token: 35	5080	WMIC.exe
Token: 36	5080	WMIC.exe
Token: SeBackupPrivilege	5136	vssvc.exe
Token: SeRestorePrivilege	5136	vssvc.exe
Token: SeAuditPrivilege	5136	vssvc.exe
Token: SeTcbPrivilege	5560	taskse.exe
Token: SeTcbPrivilege	5560	taskse.exe
Token: SeTcbPrivilege	4292	taskse.exe
Token: SeTcbPrivilege	4292	taskse.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
5972	msedge.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4320	@[email protected]
4320	@[email protected]
64	@[email protected]
64	@[email protected]
3424	@[email protected]
3424	@[email protected]
5548	@[email protected]
5096	@[email protected]
5964	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3596	1128	msedge.exe	84
PID 1128 wrote to memory of 3596	1128	msedge.exe	84
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4796	1128	msedge.exe	85
PID 1128 wrote to memory of 4956	1128	msedge.exe	86
PID 1128 wrote to memory of 4956	1128	msedge.exe	86
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87
PID 1128 wrote to memory of 1244	1128	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2804	attrib.exe
1680	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffcfe1346f8,0x7ffcfe134708,0x7ffcfe134718
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,41892766255344845,7904104390300615948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfe1346f8,0x7ffcfe134708,0x7ffcfe134718
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,524672198818724140,17716998838472707426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1236
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2804
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 266341723850046.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1408
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:64
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5644
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5680
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tonfimrlm190" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tonfimrlm190" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:960
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd058ccc40,0x7ffd058ccc4c,0x7ffd058ccc58
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,7798660963201470019,6882744140877188349,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5772

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
7fb0291247be5fbe83231f25a2aa40a4

SHA1
336319f4aa93bf44d680a5ae3b8c3edbe732199b

SHA256
c80325c457965578fb9f824a636ff9a905aeadbd33131b31dc5001908a86cb28

SHA512
c691de262aa93bf21ce41f335c0d95fb96e20c4ec70e7fcf39a8f0cb3e69e1c926d18ee1492abe17a00c53c4429223a4466c4efa4b9095fbd4f8a89428d79ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0f312491-2aa3-49ed-bb8d-348299654a27.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
36ee53331a6c9e3147fb5dee5769029e

SHA1
7531e9f9356cd47d3166a93fd74fc95dca267cd7

SHA256
6df3800e4d1edcef8b5dada2275806ab1babd1ba0806d1bf2235eef6451d85e7

SHA512
7de97a6ec58172ee3724172c3840deaec9003da4d4d2e79a35476291ee8750212b322de43e5e87605924a37f9a5e0e2555c1b468471e1d06888a40699a5f8d0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e7a91e17335c707d392a0d85cb7853eb

SHA1
d090ee2be42a245cb5e1e91c141724913a75edba

SHA256
92eb6d6efb46276ca3e930dcb89bdfd85859ce3eb2a02761dbf7d4e1fe1bfa9c

SHA512
feaf5143f9691ae67a0b0a805f30824bf1cd33e4d2b3c9c29a5a2b7c39bc7cb6c837f529ad5df53f6859b31f46d0518b7eea1a1dbc90f1532d99a21a8d7b37e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a669b9868932590b452b763bad1461eb

SHA1
80dc6e5afb16047988f646c566ce8eb04f815beb

SHA256
b65a1dac8e81fbfe6aa4251227a57232361eb395c48356e12d45c06aff09bc25

SHA512
c8e4bc25f274e660c4afa1fa09f490c45d691dd9e46199c7bf3a6a5c745f06c989468670f4648520c4c664272eac6d37522048de325a384f760830b51f15e7a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d34ba5705b1750a908cf0a542fa8cc6d

SHA1
d91319d0ebd982ecbe27f266826e60eba16340d7

SHA256
41a23adb6daa4f06fee8f2b1574245697c288c1c906ea765852e8fc03040ea06

SHA512
cd0c5143a1d562ffb80a0ad31873466e2a602959f77829c1da004080daf816e96b42e262e5e00bc1ecde0e1a7f1483264863c5ea77f98041d2a581b834650dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe7a6e521fc577e8f3c09556011cb442

SHA1
2469fb06d0a910d0d1b9b5d294123e372f621c08

SHA256
df1ab5485f4245339e77d017d54c1ee8f42effe45fc797628f4bd49a0aabdeee

SHA512
a3040c3115177a12f59f3d6acd6fec150fcc83fe6a916bd07233f82876e80744934d34889ba7e4bf152a360c3c7c3e1a62ffa15198e72e699ca2b703071d9288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e78dad745961b97c1aa57560ae69e54d

SHA1
d17828e3b606d4e2b4ee633bf9f5ccdf12c9d12b

SHA256
f5f208c85a6b75fb3e73df365470ac41a584cb09e738c4e5c905d250f89a6f3b

SHA512
f765bc22c9e0cff2e4a1bb3c26e99b34ef2cbbc93a9e3ab719372856cfc81ecba549908e844b51c319ddaa34da488dd1f811a4061bab8701b36dcb793eec7b92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
2a035a6bcaf22883a0654c68f8db6140

SHA1
1e76ae5392e867c267cb94ff875d882077d04504

SHA256
3d5584c238aab5d83950666af7d5ac509d04a6b2d082fedc97153d9501faae90

SHA512
6e33445d20db49f7b561e65f43cf6a63111f57e526ab9b33073272bb2434eb13b4df8c958f25de93a14d5fefd3591b7cd6c4b5ad0d77d10d0593763f3131470d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
ea79b3a04e3fbe326b83dfcd4debac84

SHA1
268eb8305d174f36213ae55198aa7552a4ee8446

SHA256
cd18efa094a9e9ec76522e79c375822e3edb1dcb66c7a2ab34f09c3530593656

SHA512
a7bfbdb127c4aaf20ba1f4f08d4278633f2e8e077d466d2dca1ad5d72382cb00f357a56f69b0295b7f6e2053f62f386f15feafeb1b23474ac8291c5e9dab8a99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c075495049be81b9ce2815c1bc009b36

SHA1
1befacff91d652f8376955358af77de55a2bc7fc

SHA256
f556c7856e80b0fdd93f4c0a6ee721a26722c54cbd32a8133cbda0e8dd91babd

SHA512
138e988324533e3902abac1676c6076d1ac2db868e5f26eb47736e9fdf572da11b3db798f61660f3eed582f89f3607d8b7192bdb2f959bab96eaa2fd410ec307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4a1ab2983887cf515db757fc3fad08e8

SHA1
6b41e50b19438a24ec150bac5d3b660fcd5729b1

SHA256
7d9cdccb9a9056b1a32751d0908b9670a7f400fe93a056d28af072ab9824bb5e

SHA512
a97cb76c849e6d2eddd9bfca90719d08114e46d04dcb57ef867b2435f44712de0f7995b57ee72d1df04ca2a8bb7d4a81554eb8601c2f77fadc1761a8e367dc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
01f0404808eab857180546f2dbee23ea

SHA1
3434dfed718cb0cb61199013dc3fdae3aef01df6

SHA256
5d0746126928ddff428e9b4bfba2c815e2b484ee1dfbd175212bac02bec58ac7

SHA512
8ecc2ed5903a86a1a97ef79034814a79f3f74c4d4b4f9ec551064b404809eebfd09038c1ab85be4d7646fd451575f2256027afef467a99a34c561243d7d52b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
cb6e3b330bd0b550c1f25b1106e42a46

SHA1
1d5750d4fcd9f51efa50940d86f1506d31e87047

SHA256
b9b2c8b3154abd36faa3b674599af23e4c785b413a7a2e568926ae9b4f640d10

SHA512
411a7aa0b512a81d15748a3ff7bf55a48f928bce67c435c06ce3178c8f5ecfb93f05d2fc56074b43c054a0ce84f9382189853457e05842cde2fa74cc35e872c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
2c31ea4228a45fa40b45b881b64d90e1

SHA1
a7b38fc42db92a0d8d9bbcc2a0f83004df8a3f2d

SHA256
348d87b03e5cda067fb24cf5f1ca0af608fd6ce7278702da521dd078dd28d172

SHA512
45cb0ab77483efd712660753778a0bfaec27d24d515f66116e41cb1e594b9a33e86d64a4d371bd3638962a20dd589123ec1ee3de643b19c50b3c1a553468877a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
a0220c97026e2a98128a2a12b80d0285

SHA1
bb1eddf5aedb5c871f895883590e30d02d915b7d

SHA256
cfb0717a59d5ecdaac2994543492736679acd3510137535a687051a1f389780a

SHA512
f85c81407f9d0d92f2671edd86b101823e42ac6f803471b7e63b908e53fdbc7811756e49bf246038d10e5aa53d2cb8dea93a658376b5699c52c70e87c9f1df8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6e07a9c9f123bbfa5b71467947424c30

SHA1
703103bc90d92b2bcc115379f2bf1edcb31cb69e

SHA256
6f41976792f7ff3706c588c7f56510a842c6e9f229ecc101cafa19315129e521

SHA512
5addec1be07bd33e7c3ae4dff2f17f1d1fe83ea7b09061c7beee6a4c36ae28505c8f1999a832dc4f391c85745cb55536008e9f5c603a2c1b59cbceeb263c556f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fa86d7303b430b64c3e2054ae367a9c5

SHA1
48d7db082f1a8337a3a557153d0a4a638a67c473

SHA256
9aa06ce5ac6d296d0b1dbcc2bf3ef7043e65fa8729ed662c57c6ef7eb52a659e

SHA512
19f4b734723d8668b47c16a68b61e10092776f06cc698fb7937004503b7610e11d0cf82f273a4f1c42c43874a0adfa637d0992716f0077b8eb197a0bcf1f7efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
0d90be757421c1e0feca90899f88f05a

SHA1
ff7da7f369b3325624e14e04f89d6cecaedc0303

SHA256
9546ca70945d22a3709ee223ecfabd3f3ebe871697b5f9b4e930bcb31833e545

SHA512
bb6f1df2f96cd13714a1e9c158dd51c608fb5c3c7c528d5bf5c1c995b325f69e745bbe6a0322e7ed72bee0aed94c7c2203d443e11183c425315a554075de6d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
ce153f58cc649baad581047d834e0b8e

SHA1
50913608b2362cacf8ae463f95a0364db012f2d3

SHA256
03003c6cd4a882fbf0d46b88d4ba2d50c523b80e5938f106bb7e72859fb26845

SHA512
2815132fb96aa7871f7dcbb7d50d7f7617250ae02ac495d11c1c9bddb5be3a14ff8e390c0483822c809e6ddec7d553fee4ab17deb5ec90f1afe734407d052994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
eb3bcb01ced160127a5842722f1aabc5

SHA1
4dbd25b761434a57b1460ff2d0877e3aad71e4a3

SHA256
d6c59bf51eae839172956b41327fac491bbb6636e5c938a433de0471eb0f4811

SHA512
a33c3c57d27cace8e37673bc0802beac2c9cb0aa40f4c710be3522cca9b683014acf7e66af62e11f89e1980fcb41ab5ad13ca9303d9b7220b23f3ef255662dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
323c69763bd43b73feef8aeeee03b28c

SHA1
19042d64950e7fc7c50111f17dd8a99488d9c401

SHA256
e6425bb5ab8d581e9ad4e57b17ec3d0d49b0100291ab63213bbd2e3459a24fc7

SHA512
3a599e2dc9fa94a1a357c51e9da2d5e4936863aa369009e7780a819cf035879a28a06dbbb3537206e6a8cf1858a087ca70a8c1724a1e285fc7a6c39ec885c518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
898B

MD5
f82391d6a582fc96a504e324d468c024

SHA1
af18cee34b8e102662a82a158e55c146114cccad

SHA256
729e6986b87a34925df1443e07f02f7c08b317f70a0b3d36089be2d61a7389af

SHA512
e8610f72d9f39eecbb299fe32080a488582a090981696109b363d025d21264522901de56e5f5cfce73f617c48966a8cc0b07f9589f9016debf0c0a94dac2c2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
81e648b152ee5a805d8ad88409c2d0fc

SHA1
6516cbb1eb282159e5b6e25cf6b6a657c550acd9

SHA256
ecdc5537661262af2e69a8cde9cc7c81b7d47cf58bf4f946d78f013361f68099

SHA512
c98a5421008be87358e91b8ce114f6254ce14753265e3cae80d4bf5c90c89fbbbca479989ad668cf76dea1696f1979662b1748f3ac4af4ce76be6bfb0907f03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
f0f9492efe7bb0451e39f2460bd885ad

SHA1
69be5feaf3defdf6f15a68064ec0938b588171ff

SHA256
d93d4d26f246f9086938e0f37af2b9a45de22baef79f719f006effe873f46e8b

SHA512
1323d494f34fd7b7b06fe1e01d10870bff04a29d58d2e147b8b9541ff12b4300e7bf7e554b1cf0473a37b51e5fdf85c5d4b1c824ad86299a1d73c81f2bb926f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
858B

MD5
1bfba8296145c9656996f5087e505a9e

SHA1
4442fb51c24c77238ba5e71496e2442c05b3a630

SHA256
37cbf7adbe38d383b7c592c60b7a5a717142df597fdc20cb20cc4a906df5c684

SHA512
e73a7d06570b92aa37a7eb8e575c6e8676f529f5c10850852274c75bc1d5fc98f9c30fd17b9e404eb0b6670d8c349a04ac11e6e969680bef9172938c24b624aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
f6b24ad07edab42c88540a87562c81de

SHA1
dd8691937a6a089fd58b9db56b6f599022b48168

SHA256
ab8d2b9c88df9ac33fbf60ee72a5d8c84d0dbb28ebc1de08a4bae02a8af8071f

SHA512
5fa8a1df39ee12048ba5817c1962cb897a3454d69d78ad4c40e0f72fe04c4ccfca674a2d629dba8376f2862ca587163435318d4cd7b5ab5c64ec03703322ae1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47997e37ee76c3ad1c419fb32f1fed16

SHA1
85485a5170bbb0dda95c6f5aae9053450157c733

SHA256
c56745d08996ce4eca0c7ae3f251a08d1f6a15a535c08ba25cd8b86a758b62d0

SHA512
01f3a7a0ef4597f7edb09bfd6f2503948e1f105e0811a7c7524bfc699496c537ca83d43a922b19d6b1fb23ce9f82b219817255c72c7670482526995922be2976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47e0cd12ed3cb48c5e1b47dc8ca76ab9

SHA1
61823ba3aa8b71e181a933940a975b3eafc08d8a

SHA256
1e3115df82ace25374ee8791d2b13343996990c0ae7a4d96ce92855a25ac2431

SHA512
d33e168625e6ef91b316331d41f5fd68e20eba62f59364fb33d89c149798c127072aef6339f0b584694cfb206ef2eaabad7543fd446e64d22a262fd368093d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4486d7f2012c65fb4d1b7e3db3bc500e

SHA1
84c59ba84241abd9b89c0b08b63ec06d83c8351b

SHA256
27456457aa71efd793a539a4a6350611b8a612ce0d184eafabc5cbbd84831b56

SHA512
27f238c9131c5a9ec3c19ef66d020a8776246406572fdcaa079eeedef19aebc17fd50f156045608830d5fae45774b81245898d4654de297ac705270a22638737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4c6ca525c71309fea9de6995c1432a9

SHA1
387d3cdcf332a323840f84d2d6a0defe232506b2

SHA256
b9b386f3167cea5a283f8778759c589a9f38e4e7df6acb0b5804480f0bedc22f

SHA512
7fd6168901d0cec8fb706ca6cf1a74ab2fc229f5a38fafad1fe3b560153756c2e630ae17018699d9a65609541a638ddaa1d74b97fdeb8d37de7ed09eef91384f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
acbc19279286daa7f9dc36ca4b1c97d9

SHA1
76732637189b9c4405e4d9f8da30086b35c7d005

SHA256
32a2e46ff67a13c6c772a05b7e23db42c10ef00b967986eeab1a8585a8c553f7

SHA512
cdb1e78495bfd90ed1cd06f8f79ce49c203a5ff599cafc18a3dce7a5409b36fb79fa1c726c7d7f317210046c1527acadceed3823adb549b313f509175428359a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f6f4eea409bfc953b104ae307fd6474e

SHA1
ad63c91f19bb225bc233ea04d6f9b85106a29a7b

SHA256
9787b176f42ab45e7e7c0bd364cd914c53a6e90f2b9cd6b2d8fcc4e7251ae396

SHA512
d4e6438dd2d18b7d54c7944b145c7108680a58bec1cbe8b626085dd97bc9b343957f0e9325357c2e8172639a2046ad3295ff1c91fefcbabee4f263cd0e7f640b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
415B

MD5
b390e3620b283d8c926e9a2f24381e24

SHA1
b64431c9dd5b639c7779f3489c8a789aedef9376

SHA256
44c17323e91d3b6cbf158c902d8ebdf7dc22d5cf45835987bfdc7604db985121

SHA512
825bf594d4570ae66f50b5faad8711adc84a4b2bf51c02f297a42e24b228a9cb05a9d09561272e12dd8723c796d7dfdadde748071efb24203a1760ba5f9ccea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
1f01d88595bda676422ebc03ec059e7c

SHA1
1c2c3216c9ac31cd8b71d40967b1635cffea962e

SHA256
36cdbb832960eafbf4c4f079de7d946969ce9157f975fbf51284732e4b012d8c

SHA512
4fd1b0ece152861753f0f6290d94122dc3e5991d741670a008898e1d349987f5029aec817a043170387147737a5eb4b9535ac06181c825224c5aed82f95ff6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13368323568232024

Filesize
4KB

MD5
52298dfee9acfc77dccbd0d7e23afb62

SHA1
e82ece3d9a2d9f4d9dfd406637eb40a9aa271266

SHA256
c84d96184087379d1e63e26a090fb3e233961bbb6d9526d3ee329c2ba16b093e

SHA512
5a320ab7a373cdde22c7b82e7d51b4dbcdce221f38e5e1d0a4185ecaffebf57871bdc3dde06d20688376dbf6ebbc8c471b4fc18c92975365dadb9b12e742da8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13368323568408024

Filesize
3KB

MD5
8e6bcaa32e09dbf2eddfddcbc6d040ad

SHA1
878d994b1daa98b9f1b1fb76c2df01c85b27444d

SHA256
5d74995e5c86e4134c71b8e443030c475766d2d3459dd9ec2dd09a1233526619

SHA512
f736d2bf8b09d3df249430d92ec9a09237523f70dd728b61e6c24ef396f207c002bdbc4ac12620ad043608f1440abe40212a99300de88030ff1e561689b72e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
0f211e3d3e90732043dd7b2515ea26a6

SHA1
8049bfcb4ef75a71d5cb3295b149698b699659d6

SHA256
04d0a6f1c1b803e83bbd41592461776f45d062a35c3e66f5c7c0af41c038f74d

SHA512
1849fb1302edbd69d9e9a220e581dfeeb31c0e3f080f0ef619060e6630793e2db32819b0ff4fe5155f914085506f9815d3ee488c5cdca06b64a8bff3d99648a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c83a91cd0225610e636bb9f3615637e7

SHA1
0c42ccacb526fc76dd8be6b8d05966cfe9a6ad13

SHA256
e3623d933619f1ea48c6a168b4e391df247690e644def12ca106fcfbb4001f65

SHA512
a1a85ae5efc78af3efc3aac646a6a77a8fb22ff7550867f07f942979b39e673add97eec21a61fbd4aae7c475b97b142eea48b584ddc3afbacdfd82ebc7386e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
7bbf084539526d08ecdad489bd15233c

SHA1
690be4a8b4d467bfd37bf0d57516867c1ca2b5cd

SHA256
094c94e06f63e0a9c78b102b0bee00f8ed2fba2d039181203906bac6adfbaf91

SHA512
347d33c99329b34ee5ec749761407f1d051b29f389fa2d2ed59ed316da47dad3fc27e1d6b00e95a16ace9056ee91cf1e69626c713e07e373083d5f95d71a1150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
54bcbab53b381c2779190d85dce3a885

SHA1
ecf6d8b6720d5ee405e9b624a48b122c36e7fd76

SHA256
9b94b478706eada7c6a8be4a2a0185a60204ea3ad4a89e2c12af710f6b20a238

SHA512
d025512411829cbb36af1500e22586d4e7b0b7614b685d788dc77009adeaf37616baf2566810b7147788179b5e463e78d7cfb56eaec52917e9a1fc8c4d901923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c05ab51392df5b3fd1875126c3bba5e

SHA1
9df05b399b73830c95619fd406902109f5eb2fcd

SHA256
20f99353a6e2c232e7ad002e418dc10b9cc3871da6a8e380ef9b520be65466ab

SHA512
17d83f281290a86d8bb7e0b5fee181ff8c6669b4bf1da61f878ea9af94a79380811086cba4649fbdb782783cce476f5efcaa30832363d1b719fbe0dbf75f3548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581095.TMP

Filesize
874B

MD5
a419ef5b9168f2c95ef4713e8e2fc4ec

SHA1
b971ca862e4610cba77ce53bd2e6a4173fede47b

SHA256
528a7eb0438bf4fda3e3ebb5936755e2375d2738d5a372dfb97173f2ddab5ba0

SHA512
8f4b22f3bd0003f53267ac0431d7129daa8252b1f05e91ff1779c01599d0c53a8822c6b2bbb91e74d9ec238974a6d825fa1e18db1c1c59579f13dfbd6e722e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
e458459d128eb0a87f534a4a9f524f26

SHA1
7bd7a8b27997ba8d35058f88b592a90e486141c0

SHA256
50299e99324b7da65412abfaf6c51a8887769765c6e845a9b97b095bb0636bf7

SHA512
0c92c2a482f36a7e001182ecd1c8c885931afed1ad2e03135e6f84452232ec99aec7028646635cae5a46d95d8bf3500aca1e63946c6fe1ed05549ede8b8c9415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
67db3f6c77101e740eb4560d0039ed10

SHA1
f5d39ffc3eef1b6daa6540e2b6c1fc0d1931390a

SHA256
ce42ed7f2643f4ede9cc7aa26abbf4e062eb2e71183c58a5a45c8857ae7d8579

SHA512
68167d1c8ff3160481eb4f4e84b73c71ce0cb2fc2a55e669c5fc173f1fa9081f5e26786dbd0489ca873543c9889fe590eefe1fa2e32b3d20fb9b1a8a3656ff33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
27aeb9f312c4e209df929339ef7815ef

SHA1
f7510110108bca6e32bcf6301d660fb7f1e45326

SHA256
1f4c25c7e59126ae579696d34c75816d543f42f571609be187a46a5512369d80

SHA512
44961f4966468a161eb2e388889175c61e46dd5d6a58cbc86820f6cc64431b3ad43453ed44874b22447fb0c2f9a77f852121cfbb75f1d33eb6e3b0d6ffe82199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
aff094c09d0ef91b43f809585b8f0240

SHA1
be6f99fd81efcdbff8af6827fedcb27aa09a220d

SHA256
346e0ddfc1feb69e29bf3b3167c8fc076abf125adf44252e42ba53e4927fa2f8

SHA512
f711c143b5daef5239f4217f41cf28e6b12d671b95ed8997f6d6db91f92d1f70f139da3b29ac6a09dd93bc75c6d661d0a37eafe2e6e17cbe8e4242b284d965cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
4d46a9d4ab4ff47fe7ce1c0049582311

SHA1
02af7aee57d9c36f3f6935519c039888d32fba97

SHA256
27ecb3eb41da60221104d6609171421d88b93a4e9e1377c22fd1474153b38b9c

SHA512
c4d951702465173c448a08341eb1de7d267a6a9829357d9737e2b0be273b360ae1ec69972ded9b722f92435dc884ba4dc54c3648bffeaaabf4acc97ac6c6e154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
6e96d4be3683691fd23563ee041bd5f3

SHA1
05c7d3edb94a4700a5e93325e214dd252b9affe9

SHA256
9ab9096a75571d023082256281dafe3870c64edbdb547f33a76876fd10cf34f3

SHA512
2a33a2380b38c5c6832aad670d459a6b47730b2b996184972e15b033394bf81bc45bff807dec5ce509b696f16e044d5363b94644c12b53817e3283c6d9117bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
a0d74668a9e6b3c3588f079a9410f646

SHA1
0486d56786146d812e3f9801ccecb543fe289001

SHA256
3808a64566720ece937e30fc2069478b25c6ebda3fcf565eac54e83b28eac76b

SHA512
12764fc332fefca6228ec846d54a9ad84e49432d1a8bdb7a4c2073205379e32a2b15ab9f0e31ffeae0ee2f0d0c0ce53d2916e94b52195992a3f378a90e732b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
b61a3f780d3903aa3cdfd65b48c306e3

SHA1
afb612201df740cedf0927281f24f44e0ee9909c

SHA256
7a137b20980b88687e302d8a58845717aa70e503c71dce75050e3923cd1e17e2

SHA512
fdabd7d81260209d225b150b6456897efc457e5f72fae4b70da3ce9f45fb94050e4b752328a33625962da0a1bb3017fdb7c7f62635edcdaf33de8d35110fc41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c9247d338474f8cf9f6ee2001e10315e

SHA1
5e242220101a00832e96c14d209ce3838afa2685

SHA256
e7c4581cf2541d5b2d27f5a45c747ca9f5bd5bbbd74e6b35a9c2f06f233e5285

SHA512
71493f70ec617b1947dfa86aa75577edd0dec7636019a9c9dcfe6c20dbd2846daaf7b90a6e3ffb7bd9bf837cb6e5b340cbf1dc434b732f553665445f9ea89ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
770abf8fced2d9252cee422b99a8c883

SHA1
82daf995e7208258bcdbd565c0a4e0ebf69a34c3

SHA256
350000eb1d9853e382b1cee1f6fcf0d4b614dc754f2922e02b33d479879a2f80

SHA512
5ae64bfef6f38e05b4eda80c719dff9b6c5850431eae2e8792f9724c37c1a5e6fcf8f14cb90ce983d4c879d53e601aaa69322d0e4d57c93a34b7eb32a7e9068b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
16KB

MD5
f55234db88c6538e3f4ad45c114435f1

SHA1
c4dba9a32f50f2d9a27ce81a1d62f7587751e6b6

SHA256
bf139ca7efd187c36f3ec33691f427205a63ca2707af18bc25430637928d713a

SHA512
8a621fa5044977bce987b8259dc850faf83f4e82f4df1a7a689dbbb0b9b065676842f7ac462b77f66c3ef892c3272960bf5de4c0dd4f02e85430b368867feda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ffff8f85920ba985fc9ab7b6c4330b86

SHA1
dc9690df72316d8a74eb98fdcb3ca24308dbe0ec

SHA256
1f298256277667cdfbc8e250f58c3e4e7dcc95843a21a98abe925051c3093776

SHA512
bd6efc24c8a0790a1d3c44cd859c2195fdcf37a9255e75e3ab214c3057632eb4b9b26ba34c6312fd2422db4fee3f8bcfc8a9db07a0b8cbc72d3d4dd228dfb093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd1a11d71bacf4dc55fa1aa230200bd9

SHA1
ba82e28d5b77e39031107b346e8606ac2bd2e767

SHA256
61ce3564c2068819a70a565f6c884b8071492ea177b412b2ac320f54d4a13bb6

SHA512
c39a566c162c89dce77364ef9988a4fe568e19426d779775dcf7e5e1fcbc6f33e1de691d19f24c4b9ed9e84fdc885117c2cde29994f337df1d95105d77c61cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ec207eba9d502ee5629336d1e260294

SHA1
7c193b9327ee50801ba1d5a6ef16692a6b35e067

SHA256
8b78c87d2ae9f107d33120ac260111759f0ca9fbd7839b3feeccf3716184f5c6

SHA512
dea14b3c14f175478c172cd0c4829ea3b6ca1e598c0ff05e2183a202cad041f246cadabff75c0fb85a5b39b4925a8ffe29c1011e3147c1b78abb80075dae89a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
c9804ff357f2bcc7d367d0d2c3cf05de

SHA1
5a55abf03d05edc550fae27f0b72b53b6b42ea41

SHA256
f9a5d837b3fcee6269c63bb639fb65b626fd9bee4a1a921c16c977ced4bf25bf

SHA512
61b6f7de80d0f989198a3f94474bf25b236793e47f8e897932d8cb1574d26892d059415c0a265ec60e1690cbfa00f3d109120476fb88ca40a00e6e89e71576ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
3de4253a52cf511e58d4403278e28453

SHA1
58974d416f0eae377488d4b39a89d858de6da987

SHA256
78ba33218fbcb18bbfc7fd560d0468534d19906aecdb231e06a76df573f40e5e

SHA512
5989c278418f9b2bc2aeb76f2e150c1376d7d9237625db695a897dbda35d041f0a8e442bec68b7b7fdc4017eb4d64a83860181f32f703204422501c72abb0069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1236-560-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5672-2048-0x0000000074010000-0x0000000074092000-memory.dmp

Filesize
520KB

Download
memory/5672-2063-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2045-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2093-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2099-0x0000000073D40000-0x0000000073F5C000-memory.dmp

Filesize
2.1MB

Download
memory/5672-2107-0x0000000073D40000-0x0000000073F5C000-memory.dmp

Filesize
2.1MB

Download
memory/5672-2101-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2157-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2163-0x0000000073D40000-0x0000000073F5C000-memory.dmp

Filesize
2.1MB

Download
memory/5672-2166-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2172-0x0000000073D40000-0x0000000073F5C000-memory.dmp

Filesize
2.1MB

Download
memory/5672-2047-0x00000000740A0000-0x00000000740BC000-memory.dmp

Filesize
112KB

Download
memory/5672-2049-0x0000000073FE0000-0x0000000074002000-memory.dmp

Filesize
136KB

Download
memory/5672-2206-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2050-0x0000000073F60000-0x0000000073FD7000-memory.dmp

Filesize
476KB

Download
memory/5672-2051-0x0000000073D40000-0x0000000073F5C000-memory.dmp

Filesize
2.1MB

Download
memory/5672-2046-0x00000000740C0000-0x0000000074142000-memory.dmp

Filesize
520KB

Download
memory/5672-2029-0x00000000740C0000-0x0000000074142000-memory.dmp

Filesize
520KB

Download
memory/5672-2235-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2030-0x0000000073D40000-0x0000000073F5C000-memory.dmp

Filesize
2.1MB

Download
memory/5672-2033-0x0000000000260000-0x000000000055E000-memory.dmp

Filesize
3.0MB

Download
memory/5672-2032-0x0000000073FE0000-0x0000000074002000-memory.dmp

Filesize
136KB

Download
memory/5672-2031-0x0000000074010000-0x0000000074092000-memory.dmp

Filesize
520KB

Download