wannacry | f6788dd76774dccc30bcc7e1fe5fa74956c3fd50d642fb65a00fe48b2915badd

Analysis

max time kernel
345s
max time network
344s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

c82b4cf81cf5233f85f283fdce61f833
SHA1

b7a2c85042a505c917012bf4f0f916cc24be4227
SHA256

f6788dd76774dccc30bcc7e1fe5fa74956c3fd50d642fb65a00fe48b2915badd
SHA512

df13c26dd36052babcb436356856e227c277af41be8be9fa3947e404ab07be64ae055411a203ff3a54952cac47c94f6e79beeacbdb47ef7fc93266a9d6faf8d0
SSDEEP

384:1QrWFspa1ocy4i4lbGaPMvhpNtH3INyn2MFV1EY04Toldfj1xCejiw:19/1ocy45EaUJpNZ3CyFTEY04ToltxxN

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3C06.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3C1D.tmp	WannaCry.EXE

Executes dropped EXE 23 IoCs

pid	Process
1148	WannaCry.EXE
2984	taskdl.exe
1772	@[email protected]
604	@[email protected]
3536	taskhsvc.exe
396	taskdl.exe
4480	taskse.exe
5028	@[email protected]
4012	taskdl.exe
3332	taskse.exe
1156	@[email protected]
4584	taskdl.exe
4408	taskse.exe
2936	@[email protected]
1924	taskse.exe
2972	@[email protected]
2196	taskdl.exe
4536	taskse.exe
1032	@[email protected]
2492	taskdl.exe
1352	taskse.exe
4948	@[email protected]
692	taskdl.exe

Loads dropped DLL 7 IoCs

pid	Process
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3348	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mnmgcwodykunqun973 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
9	camo.githubusercontent.com
47	camo.githubusercontent.com
49	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699919970519786"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{D52AE2EB-4731-41DB-8535-31ACA37C4C9B}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1516	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1180	msedge.exe
1180	msedge.exe
2780	msedge.exe
2780	msedge.exe
848	identity_helper.exe
848	identity_helper.exe
1508	chrome.exe
1508	chrome.exe
3724	msedge.exe
3724	msedge.exe
240	msedge.exe
240	msedge.exe
2884	identity_helper.exe
2884	identity_helper.exe
3008	msedge.exe
3008	msedge.exe
3256	msedge.exe
3256	msedge.exe
5000	msedge.exe
5000	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe
3536	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeShutdownPrivilege	1508	chrome.exe
Token: SeCreatePagefilePrivilege	1508	chrome.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeSecurityPrivilege	2448	WMIC.exe
Token: SeTakeOwnershipPrivilege	2448	WMIC.exe
Token: SeLoadDriverPrivilege	2448	WMIC.exe
Token: SeSystemProfilePrivilege	2448	WMIC.exe
Token: SeSystemtimePrivilege	2448	WMIC.exe
Token: SeProfSingleProcessPrivilege	2448	WMIC.exe
Token: SeIncBasePriorityPrivilege	2448	WMIC.exe
Token: SeCreatePagefilePrivilege	2448	WMIC.exe
Token: SeBackupPrivilege	2448	WMIC.exe
Token: SeRestorePrivilege	2448	WMIC.exe
Token: SeShutdownPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	2448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2448	WMIC.exe
Token: SeRemoteShutdownPrivilege	2448	WMIC.exe
Token: SeUndockPrivilege	2448	WMIC.exe
Token: SeManageVolumePrivilege	2448	WMIC.exe
Token: 33	2448	WMIC.exe
Token: 34	2448	WMIC.exe
Token: 35	2448	WMIC.exe
Token: 36	2448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeSecurityPrivilege	2448	WMIC.exe
Token: SeTakeOwnershipPrivilege	2448	WMIC.exe
Token: SeLoadDriverPrivilege	2448	WMIC.exe
Token: SeSystemProfilePrivilege	2448	WMIC.exe
Token: SeSystemtimePrivilege	2448	WMIC.exe
Token: SeProfSingleProcessPrivilege	2448	WMIC.exe
Token: SeIncBasePriorityPrivilege	2448	WMIC.exe
Token: SeCreatePagefilePrivilege	2448	WMIC.exe
Token: SeBackupPrivilege	2448	WMIC.exe
Token: SeRestorePrivilege	2448	WMIC.exe
Token: SeShutdownPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	2448	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1772	@[email protected]
604	@[email protected]
1772	@[email protected]
604	@[email protected]
5028	@[email protected]
5028	@[email protected]
1156	@[email protected]
2936	@[email protected]
2972	@[email protected]
1032	@[email protected]
4948	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2280	1180	msedge.exe	79
PID 1180 wrote to memory of 2280	1180	msedge.exe	79
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 2512	1180	msedge.exe	80
PID 1180 wrote to memory of 1776	1180	msedge.exe	81
PID 1180 wrote to memory of 1776	1180	msedge.exe	81
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82
PID 1180 wrote to memory of 4644	1180	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2684	attrib.exe
4060	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe56bc3cb8,0x7ffe56bc3cc8,0x7ffe56bc3cd8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,13824330326322017029,7164421037076937065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe562fcc40,0x7ffe562fcc4c,0x7ffe562fcc58
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4728,i,14299535877180008634,3076398157025809984,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:2296

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe56bc3cb8,0x7ffe56bc3cc8,0x7ffe56bc3cd8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,15135744644301481023,15135201335262488430,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5604 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1792

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1148
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 179311725518547.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4060
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1772
- - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1424
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3036
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4480
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mnmgcwodykunqun973" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mnmgcwodykunqun973" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1516
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4012
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1156
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4584
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2972
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4536
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1032
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
41325c022c34b1781de573eb49d9ff3c

SHA1
e03737bd0227ac19270d12fed2c8d0e69a1ccb69

SHA256
baaa4c0ac4d03caf61af39b468dd6cb9a9e6cc7e4bf82dac35e346afc3ccc863

SHA512
55e53515fead97f1f4b2367a983726fa6d05c7b6073c17a8e507e3de6fd5fa7919bf9361df0f00d3092c7214bc2059dc78a55c24ad513fb6300a4574f58f90b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d565d2aec3a895b31f38be1ebe19e82c

SHA1
70b8fc98f3bd1e886a1d78c4b090ef83dc1068ba

SHA256
d603d212cc0dd6312c92d541b3e20c74be342e6758a8d2a1c019f787731d6eb7

SHA512
45f32ff779d82b2cc90ab729bcc595db96d2b1b4f271b98bf1bb9ddc6c681ec80d27f7d8cc437b2a1ee50caf896506ce05d97243628fe84f70afadababa4fa79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
fcaaaf09591f1b58c556db659a321efd

SHA1
34221ffcf8d0f8e3f051826a9ba2d6cf3376cd55

SHA256
705c5a7e50f444b3d15a0b196b67b226afc261fda65f0f5fa32687b14a308cbc

SHA512
f656231e23db525420f8b98332045b4043c54ed111cc64c529cf7831ab1d7c7d8fb1f9a5747083fe8c94d98049e253d81e04d416b39308018c3add66fd503b8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
86eb00ea129b9e9a7dab7075539149a4

SHA1
f070bc3d1c5d93bc2887a4d6374d690f0a36cecb

SHA256
80704bbb6521a5123c437dc2d57d3f83b962a53a089c1a6c57eec9de9b2546af

SHA512
4454cf28780d06a1b748a4e89570c1f8aace1322e5697e7ed31f2a4d9a9e64235038cc57b7a214f9d16f8703cf42e91a8ad8735455f068913ac2ca5873ef2eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e160c4873ad1ba95d3a69e0a014f3fd4

SHA1
d0cd35434374000e4eeab8db4658ded520092520

SHA256
3c232b28c4f28d7b87214c034316aa044738ff36d70c45ab241d905eba691dc6

SHA512
287aefd4d46a01cffbf2924f502e7f40dbd406fc9752f3c47aa731ccd0ff17401d7817bf841ba9508fdf413539a38fae3090cfb502dc960ee5de6502803e006e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3277a4f699f468b60ee4c32262df8297

SHA1
bb0a0e6e21b804d7224b670d573651c1da771c72

SHA256
a4978a20fdcec2787bc43d6a64f0dcb64162b9e77d9f60549a7350a3d7c9e72f

SHA512
016a6d22f84d4c4be59bb7d23bc1dd784eb958c08502620090e707ad81d8fda0044eb5c70dd0b5e20d52d07aa84b28357cbc3d2ba51a7e58a1e77c2f87ace214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
780ebbe561aeb249cfc7b4c5c68ab838

SHA1
959e75177a3a4585a57aed14700bebfcc8083c66

SHA256
2a851926ce0b1336e351c3abc7b3f51fc7d1de117ed2c593cf753ddca4c4fa14

SHA512
b42be92cdcd212292585ae1c90049fc58640e1b7d20f9167d875b897cb4b73c8dceaef5c3bf5713e92d735330bab4cd257a00e67fd38f73e0f132b6d8ac8218e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8140c666b85c988634494d041ddd916

SHA1
f13ce68e68c1a6e9daf772327ba1392a8426b6da

SHA256
5857437c21046863887990560ea6fa20ca70763eec52fdbc3563cd0c32cc1403

SHA512
84211cefb56bca114ce2ddc30286de296a3d2e51eb8b18b5c5411c4f5b809937fa8208b24d239a2fda778cfb821bbdb634cd6494a6120ca10a05039b28d1fef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
013e877ef1ae1eef5a0ccb09b703b72d

SHA1
dbfeeb20fea78b2493efa250b057af62e6b1fecb

SHA256
e17496d8897c6e8e0ec23c0662ade2ab2941e0bad4d31b384d6a40645774cb38

SHA512
db56e5586d74c5cd92732affe92951293dc68d3ebabbd4900bb7a3dc3dddf39ec53dd8030fdb30ce08bf2681dccd31e96f34bf107e69b3e9d06afc35bc6c4651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
cbdfbb5c06bddab148ef0aa2f857597a

SHA1
283150253d081d69e47dc3dc3b7ae9db0d4e7ced

SHA256
f7d050388f1d74fb67a3e83a8e08f53680632b37e6e9328aa58cad8556ccc956

SHA512
b40049f8c750bb8ebb330362aee800bb86e53b672bb7181965155f9b3d74deb0fc6257751426d818558ee04cb1e1631a38fd3f6952b28c33e92908e4c330b484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
3fd7f337385bb3d080e7b8c64dbc8faf

SHA1
753e3f0b27ba5b8258b5fec8d128149598d4d465

SHA256
bbdda5af9de8176d4c1fae4a7b1dfa3ca776b80c861bf407c846cdfa59468216

SHA512
825f2844eade3d2ab5b05d7bcff606cd4b01d92f571dc8adb247501a22c09757d24bb518b2fed2fa79306dd4c92c302337806b35316730319ade77f6385c188f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7f4aa4051d228cf8b60525081c91685

SHA1
2b7169bf59c6e19d7b726c8c061399cdadbcc899

SHA256
33b5f15ff18b6dc7cf361112d14403f6c2441d5d91222981275f88997d05b01a

SHA512
c8c636e95dbb9adeb89cbf4eb39d49d52910ed60f5d4a586ff3a0096be965f6ae7c2de5e9063b7685305c9c3698517457fb5b6ab0571892570334df26974c71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eabf916abbaf5373bca47391c71b245f

SHA1
fb1950bb8c394e61abcf86b84e3edb1e32e918d1

SHA256
9cbce400d454772a53244742417a4e6b0bd766558a47887bc70009c1a42f7a5b

SHA512
d642e233aa4b742747f28577018e62e5d2653984372484cb6243487364dc4970b868a759fc25e8de8664cf1b3078ff7804c8a253084d89c7e3a28300ebe0da85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\12f7b24d-d67d-4a38-852f-c5515056d299.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
5dca9e68ccb9b468d1caf0b4f27ee864

SHA1
5044e8cd0319275d68624341ce3d5d44276b68d6

SHA256
9f1c34cb9c0675d8c69179e47ce6ffae6642ddff1f8711b8884fee70815f95aa

SHA512
c52d2166d12de367f2706eb3be6b5cfc47e22a7917824d78340a68f538a60e04b7187ab873afd1be1d480ba4e5e17c5255677303b30d99392c4762555cabfb77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e5b9c05d05493ea7c1f03406592c8b36

SHA1
90573b479dc75f781dbcbe468fa21fb781e0812a

SHA256
78487f82783fe718b811b96ddcf516d36e92a723deb1903e5f34ff0f454014d2

SHA512
f74f472b97351c1fc3010b70634ae4bfd3ac58fb7cc1ce85f958c1f5a61fd6b5ed13b05432a981af0babd09783e706f81bcc002e23d2972b09c304aff0bb8bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4ee9fcab1dbe00ab3902fe25c20f7a21

SHA1
283b2a5bd6badb6e915a17f54e470cd37393daaf

SHA256
b0a7cda9e1c00a2369af9f8c9802f938ffb47bfc3bb7ff14683ced809d6b3f37

SHA512
367daa8ca3e21c97323d34f0438504896445ab0613579c69305a4952605db3ac6259485cc08e7a2f87ed6f92a8988860b434c6a3af60309167a4a17514c077d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
fe8ff9b8d7034eaf72dbcc866e8f7650

SHA1
57be89376e84216c5d88ee50a8e0817b7af6087a

SHA256
fa1af9caf0c9e1b3e59c5a9cd11153d605667c776e207d8f1637eff39f1f765b

SHA512
9e8df6321464eee1dad0fc217c73fc02b3ed9fe8ecb2108b5178612169e2bba6daac87311c226dacfe272cedb7eac63c1c5828d8efd21b23821537240aa97b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
a3a8a86b5ce7877feba5fba29a67f031

SHA1
f4e03ec9dd3be3a7ed8b835eeaa6662d41fc2331

SHA256
3cf8991cce185ac92da99460a820de592290b77cbcab9e6c88c47123e55e2728

SHA512
9a5496d2559f3a2e95b2bb02e4344d0cc6b327600f1cf7fd0ee52c154cfa371191212c72194dfa4c4b0e56dd041cda2955f67d982e1cbc4f287a9a0b7e02cfa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
586B

MD5
30723ada2fa980a42e7117298013b5f6

SHA1
eac8b7d7e50dbbf24085969c072dc037ebf70a46

SHA256
9a33487bc4ddcc39cf03f6671e3a13cb77f21834edddf9d7deb09c6841453c47

SHA512
7a17be28d4e1ac78d22473381ca69f19074d396649e5e7dd5cf3e84b86837d01a38f8741a66d5d92efcc909184a284fd8c0bb8b712cec96cac49ca345a3c429f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
625ab9c4b2cede5cdd2a043acb00b07a

SHA1
d8c923efd74869393accce5a70b7d1c1b105766e

SHA256
9da2f6c9c453f226dd7e07ca393908ac43171178013a0c742472d3de17dc7e02

SHA512
f43f4d9e5fb86abfff348595134f27dd2ff8c4ca9092f72d9c72ca21864c4c1de18da1dfba4858682e1ed0c09f2b8732f631f22df9a9c0a9727c29079e140f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ad46aac17a153155d02b9c6303ace0ed

SHA1
643eb7cdf38a83a8aad5533fb41be108b7d8fbee

SHA256
49e8fed2a205001d6e4aa800c08f60ce757b0e7876898e5379b46fb5e79eb635

SHA512
f79f31bbd2406dc24871ac0237946c3e416cb58108f0b63e65f79e53f51713af684495b1e9df7f72f4b59f8e15dff650b534ddccf11186d264cc80f63aa7009f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5770e76efded02505e8c21cea7054164

SHA1
f9ed19ccd2273abe30d777266598f23ecb11f6e1

SHA256
25d89d9613e9c0c9d63cf312fd895d1eb16158f370bbecff0471f8b43b8d81a4

SHA512
7dce66b1639cf10c9c2e215e7871555e5996f3a6fa04dc24fe16842d8abb626e080af30387252df38c42140d6f2c4752bee67897d791bd7026d9df69cbbf2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1b273403f69b54d03e5ec34b15a4642b

SHA1
e64fdeb2b51c99f6bfec92de9fccab169c39adc6

SHA256
b40752eb6d762c6a49f106bd5e4e51d8653ee428b8ee31faee52ac2b3285eb3a

SHA512
ca8e1776e7ea168e1734440e81512b13019af2fbdcfc3dbee97915d3eacce47e678b4fcb9f7a1c41b85baba401c5ffedda05853efef134551138aac79269818c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1d23fc5caf49a6e8e60e9ea1eeb5e5d

SHA1
ad0eb3693f3e825519add90ca9f9aaaeaa67fdf5

SHA256
76fbce1abdd818207d0eee1325f6bf473714e56a1d5f1c17caf6ef6341dfa3ed

SHA512
b2aa70c9df73ddb1ffedc7da98f0df99e4c101389a8d1a6e1ac8e0894930e9a0032ab0a3e212d27f4bb32b5beba10c5f9dccdf5fc95049e2c7e345d19d65db23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71feb871ceed2392b8d297bb3816aa58

SHA1
72fb47e05941d03775c6b514f67ba037afd8947e

SHA256
b77ac8b563fb9f82d4b8868a2251fda1e061db4d83fbc284f125a1bca5fb457d

SHA512
b4edb465467bb64bcdbd37f251999e6b4235283d11eb997f90cd733b991cc4647d942070e96a202a8a1378f5f1b2fd0af688b5a6fa416978be1b41713d785442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2f91b85598d6c3357cf83b70c4c5bf0

SHA1
01a4bc4b6e650c58a78d696f0446551e5a18850a

SHA256
875a70d7710e048c0efa1a6ed0a580a3bc8fc0ec935470ce3969794f80158a03

SHA512
e78dbf095f5bf9dd3046e4e53bcf1e513036ba7497ff8e58018d3d7c82bad49d7401ed110d5b4d73b3633be69d136354a888aaa95ccc25e2af0e3238d7b29a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76026ae31e9f1e61deb23b7fa0b4c682

SHA1
6852dbd3b132a807d05fa24844d47aabecfcb196

SHA256
9ab854f03af32ecc367fa41831af1c6c11c77567b3f630be1fdc3d73ca95ad42

SHA512
1ba94da5747d13e8a6159b1f83d707a3950e37e73c96bafbce8d4f95f020d902758eb167df67b1f933a866d6d2623498ca408283563bde9b22bad320fc9303b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
901918b5b9211d7ed6f98849367c3034

SHA1
1790b8df58299b23929e48590072830a9d0d5bc5

SHA256
1fb6c5de7ecfc16232bbb9b220c80142d76f173465cfbe526a14667038784ab3

SHA512
af8ed04c134cea22fcf802cef6280ee587487b09a14311fc1574bccc4db7cfe12be6c809fff7cb4a1320acedc4b0c251af074357f34c89a37be032c5e1b70b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6aa5aa566dc7b91673ab7ebb7f672066

SHA1
5d1c29d891d20ee4f4c0f1c5431ec6491584f58b

SHA256
886957931b9958690c5e2c3875eb126ea0c54b253bc926fabe952186b595833f

SHA512
9afec7a7896388141996b0ac4aa8d609e134691ae842f9e2412f33552a4c42f738c454546099713bd107d516bb9ebc5093e2bfa61c26a6e9b5f241ff1cf01f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
f9e95b6a8f64edd64b4af4a29c84e0ce

SHA1
b60bd8babf3de203a20880b39ca167c18c5ccf34

SHA256
a1f9d672018a1a8217adae5b37a75437c0ab81edf46bac8f0c8e1492bf28dfa7

SHA512
2fa1a7eb1dfb656e694cf78c2e7c8c2df0b192e42d5e1e01cfcbc20a5167fbbd067a8638850a0f2682c57c87e3d0176611cc0b5cc3cd5ac11cd45d90b01e9339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13369991984970765

Filesize
1KB

MD5
cfe7bde3dd8c2a4662e5643e8e708ecb

SHA1
d4d1028e2f98cf0f3acac0ec8eb9a45145ec4167

SHA256
bafc4ae116b6189a24079fde3d07d2fe93b266d228c51800849c9ba00b6f171e

SHA512
fe5de2f55b692c4cb0a1e001644c08b6b4b07ed579d89ef18fc31a25995d5233240626f00c91ce46a0ff3c9248a9f713f4a0a2d94bc40e510f98483963e22357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369991985142765

Filesize
1KB

MD5
84488a8453408dbd9ccb4159167d5922

SHA1
734c5a0ae4c227b56d2ae08082511e1b3b11d9b7

SHA256
a25a1e000a1084a37700398a7d809dfe50ade79396a10edb3c272449d58c6b12

SHA512
1dea54682ef42cee87ae960b74a264fb00fb98a70b794f31ca08945dbbb649f79a4762fab57667e0e83a5fe4bf35ad000a21a71d3eee6a64fde4bc06a39d3b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
19e94fd5f4aaeaa9d670d98615f5e8a9

SHA1
ed243b373cfe9fab46a85fc96fa3fa7e7316e27a

SHA256
1e907b035725f674d7a2e82920f8365784bb776f970cebabf678438e3523fb94

SHA512
7c6d66c300f6c1610dc7c29f137edcc0a52bc3036f35e317a3d5a07b70bac65ebe0b83b6d470e77caaa7d73b97c8b71c5fa0561175ee1f9909b63981e9e46c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
79a105f07e44b7f3defc1afb90cb56ec

SHA1
77d42ef237f4ab1f45d406d7c3e08af339f6b223

SHA256
d047a8e4eb5bb65b57a1c0c955c0ae909a61ac02973d6b5770edbaca8d662049

SHA512
ec1399308c299ba44c59491481dcca3e5e0b2130404b560ec1d904181d182fcd258e22a287178a2990ea7f76f131fc5ebdaab3bb67a54b4fd0421d23a9208ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a617c01d1d96233b7eb02c5961f484c3

SHA1
8d4a959beeb925aece540c3fbde186bc012fa47e

SHA256
21b7bd3cf9d37ef32b06091210659b8c20fd6ce89d68ced12ad93f524cf29ab3

SHA512
56b4910385f2c894ed49cc0c92deb1b630d821f69b030e01e106f0f8e50bab93194a33d0e9b77ebf568c9ee1393cc586ac382484289434f1e939d1cc6d8c87ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
33116fab4d6ffe05a972f7bfa99a67ae

SHA1
7cf407a7103db75fd779d00a558e3042d4e19d39

SHA256
e7ea6a11342e7da6684948f0dda59192c577226434ba4734d2961d1cf646f398

SHA512
55532fcf94d7479dc94a40143b92af4a823b708715c6e52bb567ad54e52a90ec98f47607396f09bc6ce0ccb82e60f4355eac0d0ff9b3306ea89f85c220ad9b51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59f478.TMP

Filesize
1KB

MD5
d86db1732bba95c8098661682c2d5520

SHA1
7abc058ade60b5fb6af4d0a484da4fbc84d99078

SHA256
8772f022d9d9ba6de90f93ceb96048f2f26d0df534b06cf87e6c229b0f3fe7fb

SHA512
032cc581b15dbfb49d8347928e58b13ed0fbbd471129907c6992a7521ed44b34fa6a33c637cbe874ba1008d34457890d5104c13359d59a936da22a1acb3c12be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
6dd310c9b2cbd8f728a629acfd79f56a

SHA1
bcabd73de65f55cbf53fd2369ffae549f2207ca5

SHA256
ad9be36153156a85c07d4197740339b29930eff567174c89f224c4007792a977

SHA512
6f7a083a2f92e7fecaeebaea76c43b10cf7d1f2d95a64b9ff850bcaaf726c13e5eec3235b3393a356eed798afe908d796f35a1e2f1fa6548cec3a9de6ffebade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
8a04fc298740789653cc340c77fb4b74

SHA1
4e55b191925d8f5f201b79ef2448f25d592c1d3b

SHA256
3476f7c612a7b7ca7c9ddfc797a06e303fdc87a2ac81d6df4c245345d53138b4

SHA512
228b9780b42c74fb6539667b020799ced46062a5f947b150632dc64ae30d39a1d3d8f82624c824dd86fd2b88c3cc15701f56d77d32874f1889e0283efb1273ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
4c85d500d46643dcf74a2693df23e558

SHA1
df9e23a87c1a660f88b70efaa424322570d95905

SHA256
5b1450dfaa3741ded28b3174f2d947b028b8c988404314f47ae9465e4a9f1374

SHA512
ba7a95d6333218d4c2d134910cb69c2516056f4d1ac286a6920b043f657c31ab46ff6a73b76b10a16b05c8a0796e56d44dd0fabf98d4bffd1a0c859fee88ad04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
976c229ff58bde64e028e08ecdb518d5

SHA1
6da4b3d9c776f65cd76cac08145dd733a0b98399

SHA256
a9065113a31a540d2b28bbc4d11660f5bdc9637dda947d8d3a9858feaaeead7a

SHA512
354dccc7679f49f8ba2b53c764313c07fd30a4767027717385f3c8a20935ea45f1207548aabde07631b2f90ae06152dd621f48368fcb6346a5629b5b855b8c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
9c5f842bf7dacaee7bd702be05b67893

SHA1
e3aa2eb794d33057b0a46000dfd7d9ff983674c6

SHA256
82ae2b17033d722098644bd2845865d0b5aad6c19a946e33463ddf8de1e8d980

SHA512
92b92f91d37f6cc1bfad148ce021e3e1002ef1f40b0247d6babaa7e81bc03af85e026b6cbbcc7d1058cb7bbd30b1cbde1768c7f7733069905706c21438515687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
eda66ffb33da50ab2136f521e63c44d4

SHA1
412e74a3d19af229529c7c9220776aefebadf79c

SHA256
3b6a193f785f0abe0af5dbcd9fa054eb2af474a0df835397478b8e37f38f0043

SHA512
0fe8eea44d8594c304a4ed115a2c9b00da4c4ae39070bd5d5e0cb33423a34422738f838b0e7e15b7837d836f6e082defcf8b0901274e18530f754286d9dcecf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
467c09f1aed8f3d36dbcedbd2d10faed

SHA1
bd5337a0c7b4bca7c77c0ddc645d3c5ee675583d

SHA256
e6dc1b1550216a1ae3053d4d2e7eb63ea4ee8677b6ca511e4d25f942a82579c0

SHA512
d84d2c85f0d263dbb7760bf9f52b1e58cdef2c06c9d92780e9fc9d718a4cc2d502ebf7839b3d1d6843e047321b5c79374aa74a2537c0d824ace127a3ecad1664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
87f3dfd2dff3d149de95e89fc3cfd8bb

SHA1
5cac2ac72fdce3fe7dcf8d5d8a6e2819c0357e67

SHA256
681580804707fd99219a5be1ec196d5917e4924faeb821a537980efe20a442e7

SHA512
4c4bb994cd898cdfc5e9575d9050c259e8ee1acfbf54540277e68d3742ce497f02d4817192714df83cc6cc787334f507063608f062876acae6a73684a4266fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
923ca3e74519fa30a2d71b229f7531fb

SHA1
f0774033fdfcd53ecf38dc524756219bddc08fcf

SHA256
6140e997d6868c9ea7f1c8c2c1618f7bf1ca27c46b24e6d7fd85dc19167d0e7d

SHA512
f765aa1f58932a4966f63541b2ff31aabeb2cbdb7b1a7394ef3750c5d3056a13d13514d42a35e3ee7eec0783c53d3bb54023914396b701d9670e84337493115b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
311ca68c9fe1b7a1c1546ecb4981a04e

SHA1
136fbae3982bfc7e520da13a93a2e6386d5ab695

SHA256
dfb0323e313089b436814ff96fb85a315a0010d07740f7a3a77b83e060251731

SHA512
c2de90277d3739932d51ff842de9a8361b083731874d3bf75d9f56e459413e3398000af9a90f61961fa5a0785873b43b87c9476143315b60b9365cdb6995a133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c4e5aa6c542f331473ea8eeedcd29bba

SHA1
c3ba0ae3e9d34322e2725310e6433022d5f85f9a

SHA256
773843c8d8346b44877944afdc4842cd451f05cf7e47987d1d1afab0941f79bb

SHA512
685223ea5d1d0fbec20c1ac2d3a126dee8f6fe3a697e8f6d9bef1fb54b959f5b08477e9d7d576a8ef9fb578899687bc1056f9dd40354e25b86bad7345c443118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
6e204bffdac23a85e8ff686f302b4aa9

SHA1
50e75ab3eb482683498746c5b2cb7cbdc109d112

SHA256
a9c6e1687ccc7d047333ca7e1c636b2dcee25c24254435fb10cf42ba2e396302

SHA512
359b3fc20aee006510fd9865f708b7380df6939b37f866bb835b000e3ee554e565ca6445e5061cb5b3ccaff3a4c76ce10ed94be599bcecac6de7aef01f10f4ea

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.4MB

MD5
7e14aa3ccfe0a8b231814d750384b11b

SHA1
6ef4e7bfea036ce237ba3df49d20cff3d30f21cd

SHA256
8a66c755a7158150af86ea382aa0e0f2241e3675cb04502fe0557204042b0329

SHA512
2460f641208c41c514ac33a905f3cf1631d7ba9872b9b115b466bdc7ef296767b1d69691b02bfe4638af201a958de0dac7e443d5613940bf4bcdd79710670b5e

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1148-876-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3536-2113-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2129-0x0000000073ED0000-0x0000000073F52000-memory.dmp

Filesize
520KB

Download
memory/3536-2111-0x0000000073ED0000-0x0000000073F52000-memory.dmp

Filesize
520KB

Download
memory/3536-2176-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2165-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2128-0x0000000073F60000-0x0000000073FD7000-memory.dmp

Filesize
476KB

Download
memory/3536-2127-0x0000000073FE0000-0x0000000074062000-memory.dmp

Filesize
520KB

Download
memory/3536-2126-0x0000000074070000-0x000000007408C000-memory.dmp

Filesize
112KB

Download
memory/3536-2112-0x0000000073EA0000-0x0000000073EC2000-memory.dmp

Filesize
136KB

Download
memory/3536-2149-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2131-0x0000000073C80000-0x0000000073E9C000-memory.dmp

Filesize
2.1MB

Download
memory/3536-2125-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2130-0x0000000073EA0000-0x0000000073EC2000-memory.dmp

Filesize
136KB

Download
memory/3536-2182-0x0000000073C80000-0x0000000073E9C000-memory.dmp

Filesize
2.1MB

Download
memory/3536-2222-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2231-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2239-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2245-0x0000000073C80000-0x0000000073E9C000-memory.dmp

Filesize
2.1MB

Download
memory/3536-2246-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/3536-2110-0x0000000073C80000-0x0000000073E9C000-memory.dmp

Filesize
2.1MB

Download
memory/3536-2109-0x0000000073FE0000-0x0000000074062000-memory.dmp

Filesize
520KB

Download