wannacry | hxxps://www[.]google[.]com/search?q=e&oq=e&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDwyBggDEEUYPDIGCAQQRRg8MgYIBRBFGEEyBggGEEUYQTIGCAcQLhhA0gEGNDZqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8

Analysis

max time kernel
443s
max time network
443s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17-08-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/search?q=e&oq=e&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDwyBggDEEUYPDIGCAQQRRg8MgYIBRBFGEEyBggGEEUYQTIGCAcQLhhA0gEGNDZqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8

Score

10^/10

wannacry defense_evasion discovery persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Renames multiple (68) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2D1B.tmp	SPYWARE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2D22.tmp	SPYWARE.exe

Executes dropped EXE 46 IoCs

pid	Process
1568	SPYWARE.exe
2872	!WannaDecryptor!.exe
408	!WannaDecryptor!.exe
2360	!WannaDecryptor!.exe
4996	!WannaDecryptor!.exe
1716	!WannaDecryptor!.exe
3604	!WannaDecryptor!.exe
3024	!WannaDecryptor!.exe
556	!WannaDecryptor!.exe
3136	!WannaDecryptor!.exe
3568	!WannaDecryptor!.exe
4168	!WannaDecryptor!.exe
1680	!WannaDecryptor!.exe
1636	!WannaDecryptor!.exe
3540	!WannaDecryptor!.exe
4548	!WannaDecryptor!.exe
4948	!WannaDecryptor!.exe
3816	!WannaDecryptor!.exe
4432	!WannaDecryptor!.exe
1112	!WannaDecryptor!.exe
4576	!WannaDecryptor!.exe
4008	!WannaDecryptor!.exe
3772	!WannaDecryptor!.exe
2424	!WannaDecryptor!.exe
3056	!WannaDecryptor!.exe
4720	!WannaDecryptor!.exe
4312	!WannaDecryptor!.exe
3384	Birele.exe
2916	!WannaDecryptor!.exe
3068	!WannaDecryptor!.exe
760	!WannaDecryptor!.exe
4056	Birele.exe
2240	!WannaDecryptor!.exe
1196	!WannaDecryptor!.exe
468	!WannaDecryptor!.exe
3420	!WannaDecryptor!.exe
3748	!WannaDecryptor!.exe
3872	!WannaDecryptor!.exe
2568	!WannaDecryptor!.exe
2292	!WannaDecryptor!.exe
3772	!WannaDecryptor!.exe
888	!WannaDecryptor!.exe
3764	!WannaDecryptor!.exe
2124	!WannaDecryptor!.exe
224	!WannaDecryptor!.exe
3884	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000025b4e-3312.dat	upx
behavioral1/memory/3384-3463-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/3384-3464-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/3384-3466-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\SPYWARE.exe\" /r"	SPYWARE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com
296	raw.githubusercontent.com
12	raw.githubusercontent.com
14	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4880	3384	WerFault.exe	227
4920	4056	WerFault.exe	234

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPYWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3448	taskkill.exe
4564	taskkill.exe
920	taskkill.exe
4860	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{73B1C9B5-FF72-4A38-AC26-9AC4BF6D987A}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{BCCC1DEB-C96E-46D7-88E4-A6983BD876BF}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{30ACACB5-F4F9-475A-AE83-7DE01E824C2D}	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 553589.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534375.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 704411.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
904	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
2628	msedge.exe
2628	msedge.exe
2236	identity_helper.exe
2236	identity_helper.exe
3544	msedge.exe
3544	msedge.exe
896	msedge.exe
896	msedge.exe
708	msedge.exe
708	msedge.exe
1316	msedge.exe
1316	msedge.exe
784	msedge.exe
784	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe
3044	msedge.exe
3044	msedge.exe
1464	msedge.exe
1464	msedge.exe
2708	msedge.exe
2708	msedge.exe
1204	msedge.exe
1204	msedge.exe
2292	msedge.exe
2292	msedge.exe
3604	identity_helper.exe
3604	identity_helper.exe
1908	msedge.exe
1908	msedge.exe
876	msedge.exe
876	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
408	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 58 IoCs

pid	Process
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2872	!WannaDecryptor!.exe
2872	!WannaDecryptor!.exe
408	!WannaDecryptor!.exe
408	!WannaDecryptor!.exe
2360	!WannaDecryptor!.exe
4996	!WannaDecryptor!.exe
1716	!WannaDecryptor!.exe
3604	!WannaDecryptor!.exe
3024	!WannaDecryptor!.exe
556	!WannaDecryptor!.exe
3136	!WannaDecryptor!.exe
3568	!WannaDecryptor!.exe
4168	!WannaDecryptor!.exe
1680	!WannaDecryptor!.exe
1636	!WannaDecryptor!.exe
3540	!WannaDecryptor!.exe
4548	!WannaDecryptor!.exe
4948	!WannaDecryptor!.exe
3816	!WannaDecryptor!.exe
4432	!WannaDecryptor!.exe
1112	!WannaDecryptor!.exe
4576	!WannaDecryptor!.exe
4008	!WannaDecryptor!.exe
3772	!WannaDecryptor!.exe
2424	!WannaDecryptor!.exe
3056	!WannaDecryptor!.exe
4720	!WannaDecryptor!.exe
4312	!WannaDecryptor!.exe
2916	!WannaDecryptor!.exe
3068	!WannaDecryptor!.exe
760	!WannaDecryptor!.exe
2240	!WannaDecryptor!.exe
1196	!WannaDecryptor!.exe
468	!WannaDecryptor!.exe
3420	!WannaDecryptor!.exe
3748	!WannaDecryptor!.exe
3872	!WannaDecryptor!.exe
2568	!WannaDecryptor!.exe
2292	!WannaDecryptor!.exe
3772	!WannaDecryptor!.exe
888	!WannaDecryptor!.exe
3764	!WannaDecryptor!.exe
2124	!WannaDecryptor!.exe
224	!WannaDecryptor!.exe
3884	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1628	2628	msedge.exe	80
PID 2628 wrote to memory of 1628	2628	msedge.exe	80
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 3132	2628	msedge.exe	81
PID 2628 wrote to memory of 4048	2628	msedge.exe	82
PID 2628 wrote to memory of 4048	2628	msedge.exe	82
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83
PID 2628 wrote to memory of 4940	2628	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=e&oq=e&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg7MgYIAhBFGDwyBggDEEUYPDIGCAQQRRg8MgYIBRBFGEEyBggGEEUYQTIGCAcQLhhA0gEGNDZqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb12c13cb8,0x7ffb12c13cc8,0x7ffb12c13cd8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1412,18325009888241926218,12359546215280583662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WannaCry.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb12c13cb8,0x7ffb12c13cc8,0x7ffb12c13cd8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,146194809130033634,16975873188061924583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Users\Admin\Downloads\SPYWARE.exe
"C:\Users\Admin\Downloads\SPYWARE.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 231751723910063.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4996
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1716
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3604
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3136
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3568
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4168
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1636
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3540
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4548
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3816
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4432
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1112
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4576
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4008
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3772
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4720
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4312
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2240
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1196
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3420
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3748
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3872
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3772
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3764
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:224
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3884

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb12c13cb8,0x7ffb12c13cc8,0x7ffb12c13cd8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4336 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,8978825176201749809,9418979444320586249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Users\Admin\Downloads\Birele.exe
"C:\Users\Admin\Downloads\Birele.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 232
  2⤵
  - Program crash
  PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3384 -ip 3384
1⤵
PID:688

C:\Users\Admin\Downloads\Birele.exe
"C:\Users\Admin\Downloads\Birele.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 248
  2⤵
  - Program crash
  PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056
1⤵
PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
64a8f6618243ded542d1f8199f8664fa

SHA1
1fba3f3cdccac7f9d1221470d69aff273b21f97f

SHA256
bbc37b14718dd22792135c03534785da1666c78f1926729a28057d9824dab17a

SHA512
7eabb79ab8b317757c79f96de5575d15f37613e4ad49ef86e2310613d8728fb2ea9bb916d4afb76a4b5d50f0a7d6df796d23030f656c1b7d3c9ecd3d55ff820a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec71aae4acbbfd779f564a14d9470e19

SHA1
76f7745ab6024e40b2314ae6f886de3197d9d64c

SHA256
54180aa99d9d405360ce115e24cacb9315a6701b75cdeb593c08fc91e1bd535d

SHA512
fed0fa74b67d4c357778af69974aec7ef29f69c9e18456f89d03eeacf1b42163f3cdcf04d12c2b4caa9330f23015949947c218cc8e2076fda10fac73ad66e51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ddfcad7f32786f1c023877d947e538d

SHA1
d896d7524429a97a845cdfbb667406b89471f6b0

SHA256
da78040e00e337dcc127dc0ebd75ad3c3cc6ca0bd68971fe2e215bac9c2d7392

SHA512
80ab822d13af557ff1c1009683f7d4be2681956d8008dabf073b1d832b65829af87ce1b93a1c80faaa32265f1d4cd7967e3417b01c0488e9305f22d447411133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd01ad1ec59993125f501d763d18aaac

SHA1
0cb578cc4798b0615e42d60cbfb615c74cc643b4

SHA256
f8b6c1472bb3be6826740d7a2677db7670ebe20d479a473d345ea6f819ee5139

SHA512
ca8de9b00cee6fce09df2fec02be55af7f9e01c634fba61b4b620971522eb235d3c5f90eaba9c5069a1c23749540ef9f0891486ac20036bb7b26a95346aa6985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\79920030-517c-4936-a55a-60cdc9d84c1d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
68ee7ba82d87438dea788611b83aa852

SHA1
de60be5f043d82c979e35531a2fc537b54e34421

SHA256
48bcdb4fba83aef990dac28ff2a217f5541db5693589117ef42ac8797b61da4c

SHA512
91bd8c309f7b4d4991448899e98d5901cf1d4e044bc31778c1f001096f05ab04aad3f2639b17fb90369866cd51a7a47ee8f36c4149b649f9e9788bb648f1f331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
89KB

MD5
b3f1987a80d3304cf749de1cb35766ba

SHA1
b967ed1fede1986494110b10808178a2b1ab22f4

SHA256
4979287d2f6d1377e2e5fb27ab89e5f1a02ad6157030706409aa6427bd962793

SHA512
5ef6cc826e341aaea64a9e59906cb2ff41ad40a4cc74bd36e24234ce16ac23e5afc4a8246f51cbe4edac7b034391c529f8389aed78649b633ae8a731cd6f498f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
41KB

MD5
1b6a92d0ed3d06e1210f6bab9be2f454

SHA1
6a69839ec9ff926fd4e4411dfa28c757d7c4d77f

SHA256
a13c58db2ebf951ce2d1a54e41b9e954599d523036644b38572a23873e7b8afa

SHA512
ca69e573f1036dab6a3bf255a3d1a9d1c41917580a539c1bcb82440b8e89714f216a693744f1aca75c9431e7d61b3f1889e684fa6b1080ddc1bfeb3f402bfec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
72KB

MD5
b5223c7d92d4a052baf80f503ba20258

SHA1
6645e4a9896a3f161923094b2996f812b0d4cabe

SHA256
56ed5bec0bb5bba663130a3812e92db233b25878b57d4829fbf452f70386541d

SHA512
8b93043286a2a2fac8b66821937695237051eac8dbf5492e2c8a5fb3cbbb9b37a801eb9ef3068a3b2e848555759ca62b4c071601037558fc9c8ba1a6e9047dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
98KB

MD5
f78a0997d8fb7500b3adfb7661b6ea1a

SHA1
d7dfef7a870fe02e471d3221e1001b4dfbf60846

SHA256
170da5861975401ec1d76c4efb305ee654da0fd7fcc5bdcf9aee16cc7b9fa230

SHA512
ee0ea4ced6c624843ec9d3da39d9ba8e0c5de740297d3f068650866374510ba5a82fb09738ea5c00c1eca19a74fd4916e5bc97709723ee9a6e4a42318500a2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
31KB

MD5
3036ce83b827c2eb462a47ffe962aa91

SHA1
0769e86107597b04e1fa270ad3160d49a129e70a

SHA256
a504107965fa0beddcd422221c2a8877a88c3b787980b43881c3dae6b096f7da

SHA512
e13f6148358e783331b9e8880b7018c9d090fc53656b4a471d8c43598d84d57dfd393883057f6d36e08b1f1f5d4928334fedfe02aab5eb698168dda1b6705e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
148KB

MD5
6c0daa90ea5e7dd0581744958216d8e7

SHA1
0a562b2fbbd27fb07cd1daae855a1a63624dcda7

SHA256
9d750fc101e5a7d2b63e370136413c28170e21c024497afed62dcf09e4b08ff2

SHA512
c93eb5c4f82f610f941bd480743c4eb7e7a508b88ca3fc50fed69ed95abad19c217e22973038d899e657f9bc021e8669616444c07748cba9d9aae07b482d559e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
101KB

MD5
07f53293a35cd818b871666be4e4673f

SHA1
9ba032005fb9748c650a7bd70deac3f7a08a9e65

SHA256
7282ffe22797a9b5a581f6bdfacb546408126083e43e7dc31b4a24fe59e44f7c

SHA512
e6a438f7cb67c0f122ee86fe77490cf830493785ef16a695560a1413f62c045e33eeb101f5d933d7aa72417c4611479c57b610bff346cb0ad4c17ff248b4999b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
78KB

MD5
12c39d29fde81b7694d567803c2b7135

SHA1
e2b4c5ccde1749dafaacc98b83c86a37b5d17b4f

SHA256
10043fa2e2e666035878845ee3cae89f74145cee0d3a06e7212d6f635967345c

SHA512
3fc162014b87924f7004279717d0e52b26477d37ce5b5afa1d1a4af803fea2527f4eef85d635b21a4ce0d774afd12932e35452d1c889c4d8edd0116069fcbd64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
66KB

MD5
86f6d44effa1126a7d8ae9f8eacc37e8

SHA1
53b20c643e420643407c96d830c705dc67af9335

SHA256
b08341811fc97419ba7e888aa4d4d0f69a1d4a7ca75a0262dc7eef90b922d4ab

SHA512
7a3ca6f9825dfbb1f0442943533b735aafdf43081b5663097aa0be943dd035a17578bafdbb3f0f603f8c0f000512eadd4597eae13e8ba35dc703b9215851f827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
27KB

MD5
7820201f0db0c706a0ea5bb7ce018ef2

SHA1
6d116650afbb3b25bfd6226c7d5ee00dd1fe4515

SHA256
04f262a5cce0399379de17e5635f1e1acaf4371afe981edaaf792625a682c44a

SHA512
bfecb88d8852c413525e1e1bdb3eb69c97a10e4ff67ae3ca5eb97fff5a2ee369a1b80a0d314440a375d0f9e950e0e970a6de6afed09062d8523ca28ac878946f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
41KB

MD5
2060364c13291d10f415faae2ffa16f0

SHA1
b74525286e822430625c3cf58a63eed6852fabf4

SHA256
5f1828890c64e96e8cf83c25f10d6aa27e8abb27a029cc36b933fba1af3efb89

SHA512
7107849b9f6c5bf010d8ca179131e0942fca9731b224c3fce16e49a69ff7f9f5e8add819cbc15c9198c2d929417c02647dc00cb3da782882a8a9203f2a358063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
20KB

MD5
88924e883819450fea6752faf211c02e

SHA1
f65cd48ba61e6854b8695490e82b8ef1256c0ad7

SHA256
2775bac57d4aa61e0bafe9902dda744b81a6bc392a953a125fad1da7c949fbec

SHA512
c3aaeb5f7016f819015b54ac7f2cde14cb71b613b046b7097a61d7836f3cf67d38bc6eaad619561c72828d6f930de0362cacddade2f4590389e6c363755c68e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
63KB

MD5
43cc09b97215698e9db8e497a6713a56

SHA1
d615cce9482a461d2293cb03e4941c8be1b28a8d

SHA256
37734f15b6fd252e570ef39ce0efd1e7f8ee2b1fbb35bdb30cc59dd3a865e880

SHA512
66255c736e71c6701a968c11b3a656dbdd1b6c91f6d6a487d416df692acc0e271495cfd02a35757cfab31e431fe10dd6303c910286bad99943729f3ca436d3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
51KB

MD5
828af95c3a45170ea8a9683b7c9c279b

SHA1
4cbeb81e894cadd2f00fbbc11452167b9aba2a35

SHA256
0b712b2dfb8a894e61ff3d02742a60891145626eadf3b9606566f95d20ea97e5

SHA512
64e006c3ae36e71e19b8b7111eb4b71299fe1d02b65d6ef26dc2a6677a8fee4d87ee5693b0dae4e0b61b7bb4fe9967082109480151005a3604d4b56c7e5e4d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
27KB

MD5
70dc4f19424ed6d1eb3edf2e3acffdfe

SHA1
f5e03c8717997457ab5875098caf342e959c52fb

SHA256
4f0529047afe2ad52d6b531440745c009727a374b0302784e5993ad85b3030c5

SHA512
92d0562b604a951bcfcea32569343eeee2c400149faa84375b8eab5f4432bf97bb833b5f9c7c287b1f8f1a330bda52cc9a5868cd35a56789beb7ffc1e9cf7580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
141KB

MD5
82428a86022500a3120b58fe6a0887b7

SHA1
1161296127b364f8e25a8009576f4504d575dad6

SHA256
4c32664dc685c92517ff5413aedfbb31c161ffcb8bc550de64991e908ebf6ab1

SHA512
39109d1472b66da67955ef837c6798d0085597129f2c5a008b83f321f76ce2889b9523808e209286decc8af2bb6d97d8b61c3399f480bcab75eaa60f71a5094b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\129c0ae063825318_0

Filesize
54KB

MD5
40e089a4a62e29d42f061f4d51fccb44

SHA1
5fd7ef8805cdb0374289cef23cacf2ea386d3ac5

SHA256
7d758e1ddddb6b2a4af51e03b7f6af3f14566b945ae7f6359660746032825657

SHA512
24603d87f63c6af2b758dce60a51b1e1b69ef876c2e6ba20356b2425996acb98e0c39828d900d217771ff9636ab42a11257433080a2832a33aa165217febb73e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4c307b02b4dcc58c_0

Filesize
24KB

MD5
a3a342000a5a3313f41e291188beafdb

SHA1
3f09ff3f2cd58d37e5f506d76500bdd7a1ba61f6

SHA256
914719ba7c0a81488add3a6b313374584cc9232fac8dbe71f319ae5a2b21b468

SHA512
4dbc662cb15a7bffd213e48a9f24f3f189db212d59e4bff1f30c9428b6e40defb3f985e32a1f908ee3f79fdf332635e084b54efdd8fc25205502bb6854ab7ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6b7d5b381adc904e_0

Filesize
462KB

MD5
415198676113201c2161f23202361dc7

SHA1
454519c270879f0319cb90d05848c9d71501d40b

SHA256
ea1574f7253ed42f247042c2758717d4d1a4c5454dc54ffafcf3e842811da5d6

SHA512
fdb51ba3ff36d1ce7d63437bd0391817f41fe772de49c4051f9c6c175f83ab71bf6df2006cf8723b9a7e6eb610e76107ce219c6733fb024580e7faa6090d1108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\94470919aa9c7755_0

Filesize
383KB

MD5
d3a902af9e0183d1b4ff4528837307c2

SHA1
bde7c3dc6afb256a5f047b75fdb07d4677f24a34

SHA256
59af8e4e7d597af7a6637a0eba7b1f568b1e44d9778742d333a847638d20af94

SHA512
07d2f1c952ab82d362c04c623c0a2d52601ca14e8955268e5c0ba5d2e9684db34319a5d78055eb5c546e5d7a5868310287d87f6b61008008966feb249b9b46fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac92a507d2425e1f_0

Filesize
317B

MD5
6d61fb9a471b12550f9810b0b6836d95

SHA1
9f728b6e390a521d3786083f3e2f0063e1810b7f

SHA256
8e44dcf34c8ebd662e1e913a17cecabc07c4d4a54f196e1737b8b52922751e90

SHA512
14021f28068364d80a45ce588dfabc8ada6445423a9a9f5cf21024af568d2da9c784cc2d64f471aeb51bc66602ffc8be7963099f962e8e86f3f4d64d6cb4a2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\af471629f9deae62_0

Filesize
32KB

MD5
4536ffe2c63f90cbde0535cfb8e1fd92

SHA1
decf208d2f6a4554aa05f359cf6c62185df6dedf

SHA256
f271975aaa2a9f71b269709fb58f37ad522ef430cb7817e23631d3fe0f63094f

SHA512
ecf130dda4bdcd576eaea59e788822cf86dfc35f9a236588cecba0cccb4d9c0fed29e09812be28bd28c79115dfb78ea67e8be1d8218f04262c5998847879e5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bafc0e3cc37c0323_0

Filesize
33KB

MD5
89f327552029e97ecd986179520e2686

SHA1
52d6a952d58fb8f687be21b4bbd4965feb962b46

SHA256
9e862e99807e8b3cfa2773e175f33c60bc1594bbf3be7c185c1a85a0593ce276

SHA512
2e43af94381741960e9d453fd32aef786808fca62f96426b0ac8e726c2b1199c238d582fa2306189c986f39413adfadcbe79fd55b764a3bb011aa5e984bc8e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5c962a73f133c9d_0

Filesize
32KB

MD5
9a35e5377861b8adfb294aab4dcd7e2f

SHA1
4177112609fc64d6884dba861ab4ed09691b5216

SHA256
b639e3220e90de6a0a083a7f0b0cc10b7cbc7027ce027ae74a28be04202f0383

SHA512
a351e55e9c97b9c613d29177e559c3f791a46a32e778abed92930fb7a63e26a5afd8e8c18fd7a6ab4649a5c73c443b2302af21d878146ab6c1f813caa014c748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
52eb1306a3c7ee6106a4f33a7a1f7b53

SHA1
8f974ed70762b43b156b0fc7cf8e11c67798b4d8

SHA256
99abd6d94f365ee4a0b34c0ad7ba05cded4121c83105d5adc4bf26372edbf4c0

SHA512
16070e1eb4a1cca86e6db5e4abc8ee1d1800dfd0fdd309b49f4bf184614fcd694b35c5fe4cc8506a9f913058322bc182be3da2de8ec072f35ac8fd3efa0bb1f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
f913c7d610271c49a6758102a365e3bb

SHA1
b86dcce4380fd410cd90e4e5e7e5b81ad222d143

SHA256
d68c3cb21d462baf4aef430863ad546a3aeae459fe300a22c8c684c987cb13b4

SHA512
26e8321d1c73dd2f4dc04d26fbbf7e8accd9a41073cbde0f73c5c17b3aecd85c43c5321a1c90e93b1d14373dd568d72e50976d378e67538107a6be96c10fd617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
f6c92f3b07204179b4e62d40e7634220

SHA1
80334f05819140c15d2b074a7337d229d12fba01

SHA256
ef35c0d95dbc06cefed971e1b07fdc50cedd6f3d42d0a0caa6b59db43542ac6e

SHA512
952bd5c0d51bdd53668ba8f871fbdc88caf97c881d093c6ff21be9c5dfeb09e858391472d128277bfd6d27e823525f633f25cbc0fa3e8e784807be5f8f07f744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5ce40e.TMP

Filesize
6KB

MD5
138c7e9f3149ea55e19dc70a5385a56c

SHA1
254d8062340be56a17a01ea143a2173e0d3fe5db

SHA256
d8f322e1b9bee6471f87e78cd58d344c53b726b3e16daed1fc4c5f48ac9ef932

SHA512
f4def6bbb64b5534aca3a5220e10729fbd5ccef3573447a0e70efbc437dcfd79efebf957e35727616d2da824b6689d877f5475571dd2906e9a5a8f4bf9fefddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
817c85ab89890d9c0943857bd3f807b5

SHA1
1da8c83ad2bbaa03dd1f619086047488c959d112

SHA256
f7c829965089e52f9a71e51655f67d4b2e93904a2116db09659929124498edb5

SHA512
f87859779ab3d02f4e3f0634d3126244c86243fa4fb06192ead3835902e230591592a5ba4f761862f37e86e622f942b1819b73e0efd79ec3bf8476dc394bd62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
44279906daba27f891621002d419d155

SHA1
bd81c4b396b124bdaf5169441a4b9510c5156bed

SHA256
c421fb5c97ed6a78919aee54ad8dae5b7830c103dee672c7b5ae58743c29144b

SHA512
449d91b7f2af42f67da2f89e97bb1e34cc78d666a97c0c28ba406f8850203a6e3a8ee52c12cada8bd5b4ad9b2bd947748e1f6f4389fb21c4aa284bed08b5d3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
67c296030042334e12b0b97967d6a58b

SHA1
b8494d88f4942f622d44acec5ebe131eed5ac3d3

SHA256
51cc9b7289d5c06857cbb70d1dc8429e54923caf489a68b1e9bbd233c4ba5584

SHA512
ee358bd39cc8efcbd88ee023caa47818bfc797a6ce2e10986f09161514eee25487e55de56cc514a9071c9327921d0a5711cf28763643bb4939f106b401970bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
801df531ea009f58baca8e76b6953540

SHA1
1b3b291637ed5cd10d024956df7d76a8920f42cb

SHA256
6f906152f84ce0c964222751d89b4e432f163a8ad090a6112131cf42a9bd0145

SHA512
ab2a1334f6b1359d42025f51a6d74d661d4576f55f3d86dc52f815074928420223fc931d675914e49c81b5d0fc01be833d5b1938addf47cca55168fb9c5d5b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
166a2c5ac4b64ad08fc504e09cc243a2

SHA1
dfd9d5ed874243052021d2138b3d2a688c5682b3

SHA256
c014a78b8515ad328fc660a8ced3f6da3a95b27fc275d19027f96b77e4916e7b

SHA512
d240e7cb4cf1d66f7a7bf3e31fd7fb93543525a8802e13ac652559e00f1fcd3e876a15b14bf85091f520cc8ec22c87b0180842479fcba3bdf4af306ba1064428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
3KB

MD5
6473aa573f7cec6af52a43b53458eab4

SHA1
02b510bab456b8db6ff5bbc3676878ec18c133a7

SHA256
ee21cbd9860b0217f0167cdf85ebbc12a8b8cda869c20822f4bfaf4af2d6173c

SHA512
a41b318c83bafc243edca8080d4f0300269da25db7459d2e5a7125a2841d1f81378f1629547e14a466e48937cf58f3f6d56c8ae6f66f37cc2bfea05f875dfcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
a504fb68112a373c1e6194174173d5ab

SHA1
f23e855cc6599ae6f95d5ef108c14bed74635888

SHA256
92b4614090bc9be0680567adb9351d46a6d88a9bfa248692631578d65ab470e9

SHA512
11dd18c950ecf73ed76cf8b99f6db5bdcd8a223fc88969e9d630c9fe3cc4b185d3b23b7235c9c63de42a3cae35b0041179f3818935614ea2a65850bb0c3780e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
e667a0dcbe9bbc2b47d9d68d946f10fa

SHA1
a9c996806373ed46fc6f1568fe8c72ce3c48741b

SHA256
3d4e0ba1ab98863cbabe5a06642aaeee864b9b0c16c383b8ecd1c3d5a6bd6d70

SHA512
63ae7401a95870f8160ef5f941782a057d82c444d7f5c62e59f88e963157dbc1afd017d57475cc90638ac6d2ce7dec63616f2f88a366a662fcb73bed261a9fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2846f334ad8098635c117c4abee61e2e

SHA1
1793ecc27874c54e5b8639b51745b7229539b065

SHA256
a07853d04ef9269030becbb83ee1e47c7498c9e9d10f1b029348f8f1fe6e3249

SHA512
8cff3d1169114cf3169faceac611799a482b91c01691f7b075a3e9cb023436e957d5b2811a347ae7953adb5e97093aa7deb7e220a54bc73649698b461692885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
91f1ffe6979dedac8cc995382c3e2ff2

SHA1
6ec03b2292a7b6768804a7cbf16fad6806e44ed1

SHA256
f6d4189f319fa2aaa776a72168916b303117723bf5381e720f2877c22eae58a2

SHA512
f5545f2e88c4d0496626dab4ff4b545a9c352514b274526b4bdb5fe8ea7b685a793acf47d7aa4e94006cd08547d51d4c9c5fad58793d77fc7c68313fb38ae4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
afef664fdc567b484eed0ed79b97a75b

SHA1
6bade9113b74a423560f31a1f748459a08a9aa27

SHA256
ac796e6f75cb5537db28a31f5c6e1c1ac8d0f26ccc30e98f31abddd6647aec1f

SHA512
d66bac0654e2722a4222bc53f940fe1e3dacda15df7bfc85ae413583fdab1d35587b31dfd2557f9e9fad4d4aa9ee6474d8ef708eae0e46590737d3961cf9008e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
1be343fddafd70495479acea29a21d77

SHA1
743b114c96705a8ae38ce4fe05da2d70252e0d01

SHA256
dc3405982126a345d6f0a47852839c0f312d7df19a4b16ddd8abd0e27460a5fb

SHA512
bab51855af745d114330eabd33e831f4d00b481ae1af40e0f86794c59cd1ab5f1aafc9d3e6cb5093b2830bddcf321640d06b4f93954fee9e77ca9f8b0d250667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e448510039841e57772acb3d488b9456

SHA1
6cb349062f1b6be0030718f81e770bd27d5ff852

SHA256
4bbc50b6c8b558528ed503f18f2f7a58c28c5429b336deb636258c746446c186

SHA512
9fe1607df0bfe4dcf67c42833be15ee5560932a629674b8ecffbe386997fad547d41423533c1f6bd11330f33521ca7b6681f887223c7e7455c52161ad1cbd207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
58eec4d4d135427f1a746ebb00800633

SHA1
edee22ebed7b772cf88c5ff252a062c8afaa1aa5

SHA256
e88cf25ab20bad18fc81d59c27f9373152d6f32c7d6f3c648e62d59b0c6d3864

SHA512
9bc2ea42e33aa40dd7cca42641e43873ea7c7bdd0bb6a659b92b96692cbff8f5b22f4bf6c7ae324a1a2051d04c4e87e0e2cd1196ba6e6b486d201b399224438c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b2fd0bfad42f32a0f10678ba40d4e33a

SHA1
50d914a62d67a63355f3c13487e5d2f253524f61

SHA256
ca2408d6d9706b0441e034ebed0b339eb02e147f7fc488d473761cceacd3a099

SHA512
b181cedb23963e2afb40fda75a4a63c8541837fe80ea8a626bd460003ecc82155a98e4837b2ab42b9a5d5ea4db5e2d83f77ebb8d32a066a4b3dec2df81c412e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9aa0e6b9c9f6598fe5ff14082eb321c9

SHA1
5d9ebb9eac3adc609d34fa93bef09788713665ed

SHA256
07767eec8257ef53fbf224e8e589a1f5b391c50f182cd8bac401ef4a6ef4d957

SHA512
3a3eb32baff10c8538da8720bb8451540439c29189b778e159ef17700c2ea907866be10e7154a0749027a3155e04b2fec9978f09c93aedd4a71e9774ad810390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
bbe0dba622b967757e7d26b542fa7844

SHA1
44a6797af6dd9c155411c39596de3d96137b29bf

SHA256
94297abf4c0b0f1cc1f6fa27abf925f81fefb407b75d10c2e2303a3ae60b68b9

SHA512
3cc59e36bcca3f917d6ae55611fa6c4df81177a2240c37426018a70e932cea2974eb1c5ae8ef9c0d6d4fa583c06097ecfd5eb36b7e5fb55a3dd02fe7677df1b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
5624064d469b7c8c2801e8d2a5803dee

SHA1
b807ee9a6bc537f669aef4ac3059a7aeba1eea38

SHA256
89d7b3028e66747f574be24bc08c7db2c4e617c566bf4eb259721ef6d170ddb5

SHA512
717c7bef522bd77b69c3f8bcc117798542d3a33e1591d4e97bfd7567bb7150a47bb7eb9d15122db87e5c95157cd538788446df31613a86fedb56ab35663b6c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
ad7ee7e487a21a37b3c5805d1b549664

SHA1
078ae79ac1ee59a497b827c5f74e44058807b436

SHA256
7dfa403f4e2f0290f2112560e46578a8258994c82a108e58ceb9cf186f335ef6

SHA512
de38f4cd5a337be8d7be121073cf16b9f728d8e98b14fe9fbb042d849000780919067f8b09b1d63ff5e70a7ade0c3dc781158d062da5b2d9c30b5fc71cca1e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f70ddad4a978e85f6d0a822e4cff3b6a

SHA1
75eac5f706baefbe5aca26e9d53c5dc275d20374

SHA256
c479333fa5e7560ef54eb32e0f5327c6e032e78e01af061bd11e8e36fff35ae5

SHA512
b0aaef88d4bd6a00e4bf6ea960b52c67397c58d545d84d34e45f2fbdcb2b1301e3544d93b1046f8356b1284812fe6682c729c13951204e4538d23fd1538beb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce8b1cfe21e67a70e7e79ab75ce46118

SHA1
5dcd4cc7731d1725f21d32eda10e1b32610e2458

SHA256
726acba421a19464d5a75856a57326997de5c429874555b4a0f0739b28436011

SHA512
3c07466b77d5ff8ffbfaa211275df504629581d02d3d3ac1a562b80551747cea9afda1b3428938ad4b63779a1092d2a488f382ae557f2e1c4d0631a4244e81f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e4afcf844ca60f09dbbe3325e756c3f5

SHA1
905d89831c00e46ea5c9d3da3e6b0788694a2018

SHA256
ddb7d05bf17e34d39568cea819e5ecb1ad58674156df19a0cc91278386e43553

SHA512
2b4f4709e997050f768e1cfbe21c1c5311e706c4924ab7f3cf8cc36eedc6be2c872b8daebf3a7648ca8e1e3ea0737ead64202e00d2302f10263e3f5a5328df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
1351c0ca81a8aac5fdb84894ed4b7f52

SHA1
34562070ddab6f1bac564d11a347ac47c204b100

SHA256
c8c24f80db8f9bf0256802b7e60267502281400d2cde873a402ff7ee915beeeb

SHA512
9d8edd05f1438de5dfdd733e7d35e649867de0bd39b906868ad23f2ff1f99da3b592b1116af469f56c4dd308a3f5e0cfedbaf27af90d6b27680972a74cd0fc54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8a335def124011cf3cf01ad49e84221b

SHA1
7cac962a4102994bf41a43f9c2dbf62d79551989

SHA256
c4a21040114a09241d15db26b1eed978fa48ee8135a6fdffb21aa149c41503cf

SHA512
c5f57308bf0a63a7d91468db8ce5539cd835a63d136976b01580f1d35d3072005c1ae5c287d829d838f8a3d00e4d1855bff6edafc605ff0e088def3ef006fd93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
a24cf95d3b345f7ee4f6556f3c889a79

SHA1
137f2a9fa7b37aaf905d3c4de0126f08f54ddb6e

SHA256
0d704578f04ccb19bd5df66217d0ff54c0339fa22a7d01db87490b4ec04760f0

SHA512
ae12e00df5639403a8a6803485e34fb7ce5f35338c5b2a6dadb7420c7519964e66842c24355fbbf3f38bc23df0e580187f59fb0a0ed0f0175af53e3fa46aff4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
9869fb635159469cc67ab1bf42663f1a

SHA1
f5dfb8cfc524a42b7e0909186f41ecc3fe65cd12

SHA256
3e13509aa85b881c2e4834ed7129b3650e82b51d776a8381ed9baf088d4e1c1e

SHA512
317c62b285d571d21134473e2edcded8b96100afed889345283ec5f2cb110598c1cbaa0e22ee3b20acaceb161303b5485d45ba364d5cc21d4fade40acb9439fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
81c0908ae73860887393d7f840d920a6

SHA1
5cf9f391f0ab9a0924bf3870829268ebc5d9996a

SHA256
45adb8fa7ffe6585ba82bd0b49e6f7425485348305dc9b645fa37c9a72f154d9

SHA512
4c756f74bede5ad2df1f191d3c19cd31f398278cecb0df15986f0618ffb930eea5809118019ae7957c9f51a5a407e3baa321ccaf55e6001125a2b275e326c173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
a532c4bc3184ac4576e62663d7cddfaf

SHA1
745bf38ec1419692a047eee2b53ea65995330aba

SHA256
55a9c9ee11423d286dc84d28ceeb908066441cdedcf88b6eecf444c3e2a1c833

SHA512
f32a97b1c42111edb1ddc0b8c5a03f619cd31300e6062ba8c71d9bd8e100a0a981db6995468a37780a5fbb541977ab14a3a432dd1130aa863ccc99ce08dbd3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
5bebc6e918d12b2481de898146a4cb2b

SHA1
8c37573e821a38131d7fbfc24d601636fbce937c

SHA256
63b25f18ed6b3be9f6e146e6f6bc91cb7c753a27ceccba77928a94cfb78600a1

SHA512
3d2cbf8e3ef9a29f9ca15d38632a367a1aef5bb8600ce0e028d544e185da5a24bef2d7142a88b196a1e5224a385c4dc31684e94553347b7e5c230f34d204fd7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
cb75b860a9473608a2b7129842c5ccfd

SHA1
28f7c3ca57a6d123fd793f2036b509caa20e6309

SHA256
35e8cb30b118fac1a8c711b522da0fabaa43959f901251d31cfff5ed44a81789

SHA512
e7dd66f5ad126a85404bdb8e9ac3da97ad1740a91fb9ddea6af63590a1521444d697f4bf60a64a7d14a63ad18a0616802ce2b6c061ea7604c25c7644285b1eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13368383433297846

Filesize
21KB

MD5
ce769ad703934fa81da21b1ad5256eb2

SHA1
d46d0563138cd1e5a90432758077b769335a6187

SHA256
4792cf525c19299e47a855923fdb6bdc1e056ea096d4e855b28e4e5c596b3dc2

SHA512
e192a84f739147554235b9f635cf87c81719c630da490ed105288ff951d849372153d807e9453a19d24dab63572baea1561387f496b66b3c037fc47e1329bacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
98b02e08ac935215ebdcb15de9085800

SHA1
02c502cad68760d4905634dd60e89fea7790c9a7

SHA256
86d88a28cdaf351afc5be69d2bff384f4bf03077fbd61aa1078717b0f6fba812

SHA512
567cc1034702bc55577c8a97c822252e18f2bf68c9a3fd2840644432c1ce44f9dd39d1cd79b9fb29aa034ae69662b79eaa1e9ebe90c35070e45bc67054f15148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
725c6aadc98f4d503e0fb7adcc99a566

SHA1
e678ec55d2d0d99cf6810b76490316d55b3996c4

SHA256
6263950ffaec900082b2864a68dea5f30f282307f2991ad9a882cce5bd4d3836

SHA512
bd33b6768b92fd40b16269cb6cd3c5ee5f8055d58dfe1e6212f297a4c04ffe139c7fbd74405382b4aefe418bf389073107017632401157d7ec645237c8f42f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
a508af96ca5f91a4649509131170f9a9

SHA1
f065a49ae7b0189a723082f1e39a0ce0b8c4dabe

SHA256
96d7f31eeb2adb9a4dab07fc25eeaa491e7c409f114961ce8d6fe67f1ae562f5

SHA512
48218ef23dfdf63541282d4b109161cc04c868a606eaa9fbdeb0b0ceba8415af07d1d82c3b38f01c73c46ab90d37d6e7853bae2fe08b99cf5270e015a3e0a723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
baa56099816292959cae41f79600dfb9

SHA1
0f982fdb6f8db1fbeb64fbbb48ee70969b715493

SHA256
03416b97efa32186258289339ba91b72a16ac0f8f61c68f9581a6ec74b94b04d

SHA512
45bbcef73657b48b87008a1451cd6ae3e60375a255daea22c9ce1470d143e34e3205675308e18a0f2117c35c5e9f355c679978c2c7a041aa8f0d68f28a832446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3270903f4bbe2b0021ab77b7f3b00a5c

SHA1
09de93eecc2614e148438a4b252ef144e95c65d0

SHA256
76975755ca9891fbefff52432f5fbbe1950d5a2fbd54e9e446d888638e3fad41

SHA512
e3c814011091bcd9170195670a7fbb9190dc97f17486cfcb32a5a4137dded1093addb3de903f73f7cf4d45391112bc959590c6f42bf8b5f30d1e55966babd37e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7748b0abee4426d6ca97cb297c7534bf

SHA1
3cbb3f5a7a4b8ae86929083f07b419c9a342aa65

SHA256
e8851fe916422696b33080213fca3b90b08cc2dbecd2979a599f386a74938b2f

SHA512
e5261e329a6994bb84fa859708632702509d8fb15094a9e3ace9638c875e46f368c8b8f64fbeb096a57e6931d7cbff888b05e753562089906eccfe77dc212954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1111704b32f7d79b3cfbd1f1cac2ab7a

SHA1
3c8e37255b04cc5236c4c51f41d499b64678b433

SHA256
8b3dfe257cb545ce3d7b4a70fa7f95732b55f08f58e04306537d511525fcf5a7

SHA512
47886340575da6e2347231e9e50eab3f3c22572bdab9e5c1d86d82fce1382852fa6d62bc33ebd3187c92b846eed896776bea28ce479aaeab4d2439b89061448f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
49d61516059abfa83adc967e98d7d816

SHA1
0da5e3703a03eafe4accd7e05195b82b85c9b770

SHA256
c5cdbe566d4580d777aa5decaba427ba5e84959ad677df7f90f401bc985239c1

SHA512
6bcb0de7b2221e604114d37a11aba39665be8167c6627438e669ece2d1da1d3490bc96e1d1958d309ff499239a739c2e3b23ca363a9ab3968e9c7650343269af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
46a3da642a01bd6867dee54b13f2fa28

SHA1
61f265fd6aab991f6b0b76c007af6badbc27aef2

SHA256
93198b13913e825b9d644f3156b2ba00a28777cc34c5edb649fe70e3730616b7

SHA512
3e4351b22db18f4ab41c23d1c15999920b30e3f404a13cf393b020f5af20a1684c7f2cd3ed8a607be7ee5d152ddee802e98e558e219062f0e23543758c26a498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0d81878cd5f9b94e8015e4f6e73a5254

SHA1
acfa0fd8bb54a2228a4194850e5972e3805a8be2

SHA256
c5db22214daa3ddb6ba79ea37444bcb74d70a2bcb8c6a3b8ccd1a1da65ab3a4f

SHA512
69ed723c744c6931e00d91baa42c3cf9c49c7e3920696991aefb06944c8d92cdb23c0eadbe726fad279d79b1a7e8be13f80d3c40be4bc39cf9b56a999452cb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
12b2fed4b7e954b896963027926fde7b

SHA1
895cc914697d86297d292e1d0fb1d1828a4d10c1

SHA256
88b7590b4732afdc30bc319d955c3a01a3de53c331ab8b47721abf32a3cf79a1

SHA512
65799d0380e214c1ec44b291c9bbbc39818afab600c1690948943e3c3c01fffc739d992bdfae55f576e114ae72f92f69a54a0e30ab934df554733fd3bbbceb0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
947eeebb1fed7057f6c1f010f7c81778

SHA1
6423258ad4218874fd6c5335972b47d251c3dbc1

SHA256
cbe6ca34c6a195cbf28a5c15c54f7aff336cfbbc0d7ebb37d0c090441925e17d

SHA512
95a8f034307181cd21f30711dbf0a3de3b29c33ad2ebc0aed7e1d258b09936b59fd96160f307456a87aeb97e0127e3701fbc04195952bc4b737885d092970338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a776f198bdc4ff17e3430e45fb3387d3

SHA1
eab4b5df65b9455480378d0dfad994052957c40a

SHA256
2781ea0721c72ec62ae3bc306d9e156bcbfa327dd10d7aef2b826211574c9bf4

SHA512
84f435b98935a11f8be8945ff927e08bad610a033982b0f047c9ecb8830f08c034091b9e77c94ec6f881e908276bec34d38d42923698f0cb971c06be13d8a59c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
11b03a02693a60c8fa346ccc9bb576c9

SHA1
a44de84ce6369c4b9818c17b1cfc534fbfae9e4d

SHA256
0e10bff4445cee91cbdd2492c292ddcc58e8fba25460d4eb97b022e4323e90dc

SHA512
4106e6ffa737a4ae9ef828beacc86754f817dbdfca2b26bea4d92c506d9a14b017ef5bc20211da1c397f0acf649750a1c5acee116e819afb97a6bc7af4345010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f7c918d10801bce53d0a5ed09c64efb

SHA1
7b88cc061d26aa75aedc308980949c53e67bd2dd

SHA256
4919367ba1276c71491273199794849dbe66f6ba2912f3093d5fd4b01400343e

SHA512
a8842cf5d5be16c9329be347630c4837344aec5cc3c787888fd89f444fdeb234b5e1f3a09a97b1226a0d189355328a2c22c879a870e8f9fe75ef81e189b953b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
977f2fd430ba7162c1b57e6141f4ab70

SHA1
b949d63e33595136ac9021094ab05ede5163484a

SHA256
263f8dd6e2ff945e9ef0edfd33fdf7db3b1b720470eb552c270c462a6709cc17

SHA512
011558f6c1368d9e3fb13b99167bb8ab05b8e97abe9658b6ca3f464379651ddb232b39fdd6dfc8e71efbea8b19e02f1dce5a2616ccae5490558c8034a64e2d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e02e.TMP

Filesize
371B

MD5
19535f7922f384775d024cb07885360f

SHA1
959bb05f966dfa17bcabc5a7ba379b591bbd0d5b

SHA256
5dece2c9dc46e702da1838fc005d5f89e4edd39429812f437b0e62fc836b146b

SHA512
6df9f4b79e3616aa30f275f1bc71807a14eaa61eeeb17134453571299872695e63e76f8c91395b18a4ffc57fb324c87942fa5b1c90a3999111c799658fc49f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
64f2a4c0f59e73d1b17c0688d9c27876

SHA1
3a56d336e38fd8166ee24ab841d4323a2b85d626

SHA256
3c3307fc2e37dcb0f76606c5ca14f02b4de2a7c093a55eca49241943927a84ea

SHA512
d3d9cd65d3b430548b59bea5979c04aeef8bac0da11340f49e6a1682c00c1c1646425c0fc1448d10d5017de15c3ac0b9accd49fe1912e9454000a4088f1e022b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
28d65ee6c9950e31ef20b3b3781b4a7b

SHA1
c1daa5156dbb85af861407fd964221b542b8f320

SHA256
dd8d7e894743ec681f44d27c01c5b71466175a10f836c5e38d8058ce8438a3cd

SHA512
dbcf5819de8b6780b30ede55d54fdfb08f6f9b5bd89a551508bd0dd500d64239a6f06cc183fcc5905b9a315e04b5303b667a269fd388e8241bae919b3a3c91c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
886a341b4a3d4f61d08ade574f7ef834

SHA1
e7f0d33a7a7d34fe3a57bd48203cd1e5166054ef

SHA256
c22b9216d6f6b41444f1ef50b6e0488fe5cccdc341641e2da8c985156e431d38

SHA512
aba1a7efb979ef8ca2d4a62e2f715cd15e0d5f290a9b979787938774f2e144aad2cf93c8c8c4e6017c1464e5528e5b43aeff81c0e78113e7c4a2bfd3bdf2a9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
6KB

MD5
9421547f0dee8b2920544ad3dc161608

SHA1
fd536d1d9f8433c7f3f56b89842b0313a523c438

SHA256
6cb771bcddcba9e138859f278a20a334c717d0d73ecf973b5da9bbcb87df4f45

SHA512
f158e5e69c0d9722f46c79d966b15a24f0cd14829e392b103bcaacbea3f5fad5ea1e36d8c1710915c2a6b1eaa4d7ccb3b55f9db66c186d792c151f184125f583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
316B

MD5
1d48bbd5adf36897a40ed57d0bfcc901

SHA1
5b7af075a0725e2e13272d327709ef5ad87a42e1

SHA256
9e6234a12ca90f07e02cf1143f194bda32e699d79797b46033ac095efaf7071f

SHA512
7ea84e5bdf8a1fd5ef91e426afa3d49ca0342179dda842d3876f14dba640ef92ae4b62df20ee0cf288e61c13c3ab3f289975d1b467dd9edc9e4af4a4f70d553b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
ac5f6d1d60b53332d46150b0efd5ccf5

SHA1
95d7bd34276f53d3992b23ffcc872429f2e562be

SHA256
42d99a3584ee59bc40ad95d48f36013576ae103022b3f1ce6ff31cd6ebeec404

SHA512
5b7800432753ccb04ad8a6c071acab1ce7cf90a2b3d754e2d9d754a749e543a55506279218c43de61ce7a6bc4bb4ac30453b45f32b37b2be5ac92f19337b217f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
334B

MD5
f757054a69b351c7ad4cf1995c1f73b8

SHA1
be945b2fab7a816c25418cf114491115d055533e

SHA256
dcec740c9c3eace9cbbff59ac52cb56af1c331165af3fd98f8ed18f35f4f5f33

SHA512
73587d98fac18ae2bc107f5dcfc6f72be4d5a3eea434d965cc8558e7297fc8f1f6682cc58b12c84281505425c7be56e91380a61f425fa827bd63ece2238308c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b1d7ae0a85b645a63c5b1a8f8ba0dce5

SHA1
c10909def4b8ba17ef219eaa16c2f04d7ef02c01

SHA256
4caf35daf0bb03ca8a60b367b0bf575729d33b03c43390aa259f511d582ce5cf

SHA512
396ae9ec442d4094d9e227a18a8260f9c025e0dc614761e7d6a09cd016867868f7a0bd028d9cd30cc2aa66323376445e6c7f68ca66b66d15320be9c86bf4e133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d05a07a3dad8e31f3114b02488a8e93

SHA1
d3f2330582c977f09078bf728390e8fd4c902b6b

SHA256
254eb0acfedebf364188798fb4be6a5446882cdcd3d393b40fd17335b56c9745

SHA512
dc59ed771af166dbf19a86167072d7966d3be2b4dcb812a094d48c7935546e7a631c850e421534695b6b9835586991eb80e5919e10ee480d2a1f89946472f0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bcec02506e1a566e4e9e8c6656dfa33e

SHA1
7c856f4e61b6f816e0b989ae11f592a2a8f1c2cb

SHA256
1af6e2fab19258dc59f9cdc737cfc7f02c83476a81314b1bec60bdf0ee27991d

SHA512
00fd7b99fc0c7525d53b36156babb370d8a2fbf8aacce8583f99d3cea5e505f2edc09ece689f114a28c13179530c31432d374a85047dcc7dc0edb3610e766121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d964603c22b97c4c00993ba2ebe396c4

SHA1
60ffd81f95d768c9e700a5ab5628187a304881b1

SHA256
e0a6e6b93d10bafbf870a1e926285dfa2f7ad3a197fbaf9518124bf176c23819

SHA512
7ffeb319450026baf310e1eada8f38882b9687422025fa3c5d61155f86f7adb936288b355d87417000f44d5785c013aeb700b9e9aa2487594b6807b827eec67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e852af2f5b31b7c15d7651522e9528e

SHA1
c4666cd6f9aad36b23f090759cc67b29e6b40c90

SHA256
c8858e06ae88eccea07a1cbd531c2f0fffd0dc98451e523bd5aa3007c146674c

SHA512
a3279307dc3624973e7c4870e6d76e861814f54f70ffcaaa19de8b21b2882b82b8d784baa61769164865c7cd0a857e40318a564e5e772eb6ac775522544cf3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
6a3557706d951bcc9888a4054f848066

SHA1
e3421d29bb2658ab8df90bf75aa19429f73fba70

SHA256
1d9882609509de69f9085dde6467f08b1d989d09ea4035d094a187159b032c1a

SHA512
00372480ce14dbcf7dcadab04233b5fe3db17519e5a7f77cb723b0c237a1c4d669f912717e2b1e237bb9ceb41d0a53a762ee0e42242a1b5ac97db8e734db6989

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 553589.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 704411.crdownload

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1568-1670-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3384-3463-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-3464-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-3466-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download