wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
354s
max time network
349s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-10-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF9DF.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF9F5.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

pid	Process
3508	WannaCry.exe
4444	!WannaDecryptor!.exe
1440	!WannaDecryptor!.exe
5900	!WannaDecryptor!.exe
5640	!WannaDecryptor!.exe
1692	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4df00cc7-8198-4af7-87fd-d43b31b270dd.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241025035629.pma	setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1576	taskkill.exe
3212	taskkill.exe
2976	taskkill.exe
3204	taskkill.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2744	msedge.exe
2744	msedge.exe
2172	msedge.exe
2172	msedge.exe
2508	identity_helper.exe
2508	identity_helper.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
5260	msedge.exe
5260	msedge.exe
1100	WMIC.exe
1100	WMIC.exe
1100	WMIC.exe
1100	WMIC.exe
4832	msedge.exe
4832	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1100	WMIC.exe
Token: SeSecurityPrivilege	1100	WMIC.exe
Token: SeTakeOwnershipPrivilege	1100	WMIC.exe
Token: SeLoadDriverPrivilege	1100	WMIC.exe
Token: SeSystemProfilePrivilege	1100	WMIC.exe
Token: SeSystemtimePrivilege	1100	WMIC.exe
Token: SeProfSingleProcessPrivilege	1100	WMIC.exe
Token: SeIncBasePriorityPrivilege	1100	WMIC.exe
Token: SeCreatePagefilePrivilege	1100	WMIC.exe
Token: SeBackupPrivilege	1100	WMIC.exe
Token: SeRestorePrivilege	1100	WMIC.exe
Token: SeShutdownPrivilege	1100	WMIC.exe
Token: SeDebugPrivilege	1100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1100	WMIC.exe
Token: SeRemoteShutdownPrivilege	1100	WMIC.exe
Token: SeUndockPrivilege	1100	WMIC.exe
Token: SeManageVolumePrivilege	1100	WMIC.exe
Token: 33	1100	WMIC.exe
Token: 34	1100	WMIC.exe
Token: 35	1100	WMIC.exe
Token: 36	1100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1100	WMIC.exe
Token: SeSecurityPrivilege	1100	WMIC.exe
Token: SeTakeOwnershipPrivilege	1100	WMIC.exe
Token: SeLoadDriverPrivilege	1100	WMIC.exe
Token: SeSystemProfilePrivilege	1100	WMIC.exe
Token: SeSystemtimePrivilege	1100	WMIC.exe
Token: SeProfSingleProcessPrivilege	1100	WMIC.exe
Token: SeIncBasePriorityPrivilege	1100	WMIC.exe
Token: SeCreatePagefilePrivilege	1100	WMIC.exe
Token: SeBackupPrivilege	1100	WMIC.exe
Token: SeRestorePrivilege	1100	WMIC.exe
Token: SeShutdownPrivilege	1100	WMIC.exe
Token: SeDebugPrivilege	1100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1100	WMIC.exe
Token: SeRemoteShutdownPrivilege	1100	WMIC.exe
Token: SeUndockPrivilege	1100	WMIC.exe
Token: SeManageVolumePrivilege	1100	WMIC.exe
Token: 33	1100	WMIC.exe
Token: 34	1100	WMIC.exe
Token: 35	1100	WMIC.exe
Token: 36	1100	WMIC.exe
Token: SeBackupPrivilege	5632	vssvc.exe
Token: SeRestorePrivilege	5632	vssvc.exe
Token: SeAuditPrivilege	5632	vssvc.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5320	SecHealthUI.exe
4444	!WannaDecryptor!.exe
4444	!WannaDecryptor!.exe
1440	!WannaDecryptor!.exe
1440	!WannaDecryptor!.exe
5900	!WannaDecryptor!.exe
5900	!WannaDecryptor!.exe
5640	!WannaDecryptor!.exe
5640	!WannaDecryptor!.exe
1692	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3656	2172	msedge.exe	80
PID 2172 wrote to memory of 3656	2172	msedge.exe	80
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 5108	2172	msedge.exe	82
PID 2172 wrote to memory of 2744	2172	msedge.exe	83
PID 2172 wrote to memory of 2744	2172	msedge.exe	83
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84
PID 2172 wrote to memory of 3412	2172	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9c3d046f8,0x7ff9c3d04708,0x7ff9c3d04718
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5384
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff667b35460,0x7ff667b35470,0x7ff667b35480
    3⤵
    PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,9431229878401722368,7709167768661571368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5260
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 110421729828813.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4400
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5900
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:556

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4928

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5320

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:3200

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5668

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2436

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2444

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5496

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {3522D7AF-4617-4237-AAD8-5860231FC9BA} -Embedding
1⤵
PID:5580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9c3d046f8,0x7ff9c3d04708,0x7ff9c3d04718
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12451008503154115442,7909689851936032804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:64

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee478f7c4d2926598847a63b220a6ef

SHA1
fea53168560635616d2056895ee7425121fd0c46

SHA256
f2af168c642988d69fe11a5aa64ba9a926cf64abb7784d138f2b5611705eb64c

SHA512
ee2de378f48994411795d4be064f1ecdace8d8fee9df49de89adc1bea70d0d2883bc599c60fe7af43c065aa7594242bd6ccbd8ad08748edb40fc370721547f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ebf4e8f7179369a96435cdafbb270596

SHA1
50efe8d38c7099e403f1eedb59879d78f8c5f46f

SHA256
19ef1b5c40b1bdbbb7a7642ed738e666a0dff762507620f7b460c3a8bdffe7bd

SHA512
9d69ac02542b8cfd60b746eda508cdbce3ed4d7dd32a143b10f74cefeffc0a17de1af0bf1d0ceb5fe3a8b7c84711b55bb186952110c848634cd33e1905656146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2905b2a304443857a2afa4fc0b12fa24

SHA1
6266f131d70f5555e996420f20fa99c425074ec3

SHA256
5298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3

SHA512
df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5391bd7b113cd90892553d8e903382f

SHA1
2a164e328c5ce2fc41f3225c65ec7e88c8be68a5

SHA256
fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79

SHA512
41957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
81b121862dabc843cfe93c8839e28d9a

SHA1
8f69c598a566d39c13e6e5ccc06a4b9c88ce0236

SHA256
4d1f405dd0f4df269f688ce152ea2928a1a95320e71ef4ac8ffe468f1b79fa1d

SHA512
f80eb079734fb39e0c8f16b88878d0ba6ec43f5aa516ebd100cec5d200a753d70854c7fdae789d6666071bef44f715330367935bf17adfe43b5187853a9ca2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
52c8ebac092345481c389a3ebb82f188

SHA1
ba858ede6803640515a198b55cb5fa379d04d122

SHA256
a9c828af4028a0113d7fe904625d7be2df6062a0af7ce3176a6d82013dee1f30

SHA512
4b50157afbecd1b88aad4a86ae19410b37a7e53888266c99a8406812ae1512cd92e6dc0daa648f07b6fadce37e202aec1cb1aca802cd73549ed0602bb52e1770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d36e6e374e3b9f682432fa16c68a1325

SHA1
3b9a2bfa6838bb4e240b4a089cc82a67ad80cfd0

SHA256
c3567118f6e44a20948c97f40e748d95a4e28cf81c1207b4f919f9a0dbd5c3db

SHA512
eff0aec1cac9b31a7a3633156854c86c6ce1808a22f9e93c5a69b58d476f725c8346910debb678cadaf8a5d1f30d8bd8f088c49524fbae6aad9bfd0895a2085f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
291B

MD5
0c1911a7716700b2ada5c0db20955dbd

SHA1
cd0bb52ee4cbbef77ecd26dc11fc13c6b1c3dd62

SHA256
18361f9943dbeb65fa2f148f4a68d98c59674a4509f9b2a17bc1ab2ea32e7395

SHA512
a21f56d3c856feb2fd2c608d9395d6a9b2383dc1e28b0b91af8e0f3575d7ca0f998bc9de4a85238aee0a5b2fc178732e5c3e9787ce73ad9afeef4db406508a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
95dc4f8e2128a3ce9be68a907e394618

SHA1
a41e1e7f4dc5f12914843eff3c18f34af8dbfede

SHA256
ed4207cb7ac42d7de811b89d55a54dfe09bdd7482430d0f49925014db194ea73

SHA512
14fe0289dcdb17b8f6cad6a763431e1945272fe6ebdc9c455f55113a4f2b8176fd37815fe16796644c25c7386d699d24c8b5fa2cba2b327944cbc29ecd872182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d21f687caefad7a0f4fd23bbc863a31d

SHA1
fd47dc9008caa8502791b6bb516065aa4f763073

SHA256
53d8ac30fc97106241df686d9d7593717cace43abf974cf2539ab8f598fc66e0

SHA512
bb50c1e2815c8a934816bb52f3e4e1576ffb4d58ceb6dae455c015a3bddbeb617a2085f86e147bd52a198ecd6c3658f401814b080a7c9a601a547b252ebb58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15b8ca3f6b6b73a47d5eacd4a8b636db

SHA1
b94652a468610fa4ee1898ead5f8fab8ed8764a3

SHA256
1a1b9fc0438b474a370820a665cf8aea393f438ba0fb58f5401c7dbdf7f1afe3

SHA512
2847346cb2d437741800a03ef690a22d6159a594936dad4ffe08e54abe79f1ec5c48d93418355a84664d66e02f9befb476a36a5f148e86afd3cff2bee3f0e4be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2aa9289997c8df18735b083c175de442

SHA1
f8f7a812b0e8ec9971e9c07cdebd49e8bc58b18b

SHA256
5ef65cee5e3c797b9004997a3269f806f30c1312097c101fe70e748b5ed94f84

SHA512
a0751222f2204a84c71deb6993acdf547b6255c77c2709d7cb965b73a8621044f73512e490b32902162f1ea299ff2329353f3543c6218e03923172d31968a0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c30ad9bad78b211898e2b8182b17b03b

SHA1
4c9b8c844d4060dd1c6f7aca6637f8880be6ede0

SHA256
3a69dbc2e4fdc1b84f793d8074752f23003f07606af0bc073bdebd2482decc3e

SHA512
6f62b3cc7bfa6171a4e78152cb3b2ece36680f9bc54ba028e2ef48dcf3f16fe8f2af65b501ce15c9589283b3843b7608b352f72e6aaa4347001eea7cc2fc7b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e25e1f5fe8d5e7bf777611be6ee98f0b

SHA1
45530f022727980f95ed5cb051ff533dfe09fd2d

SHA256
f7a42d02aa287eabfac583bc07d295dd98010e90e32e36c30bcfb7b78b9e414b

SHA512
44d99eabf087680b4b8fcaed92bc329f72bc9a9cc98698adf2df7e981058d5e6b09b74136e185c129e6460c7535ae9166a86577bf0deec0edf92e4193ac19cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e540a48a510d77df847ee4573243db5

SHA1
7eae3754c59f928a197169e6974aa424860b2627

SHA256
8ca70cdab375029abfbed2830a77245b3b17409a9f01b2b3f51f5603b80fcbca

SHA512
48519d85ea807ce6716897aac39a8b66a2b3fefcd6a82ab4d3a61b66aaa3abfce70662270c841440712c59cbc33353d03e83e01d82235b49c3b82eafd32e230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ad9709100fb43b77314ee7765b27828

SHA1
5cd0c406c08c9c1073b0c08169ccaffbd4ef6b98

SHA256
04b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9

SHA512
fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
685bda5e49d622fb6b616e2e4efa8c9a

SHA1
d6a5e3da1979fdf77bd12bf4f9ab11bd44f1a594

SHA256
520c4a0bab05b66bc934f139c565ad142f820375452e2d2ff6751df298bcbef3

SHA512
07f8d52eb86cc9a835938eab3d617245ceac65c30c2ff5c14caa65ab6d7faebd27680c2deb4d2d4088e17e1539e7327bc4670a34c2edd2c046ef969d312e5b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e122fc93c0ad25d45d09ba51a3e86421

SHA1
bb52a7be91075de9d85f4a4d7baeecc3167c871b

SHA256
a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee

SHA512
12787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
199b3b18550c43d70f2ad48de78ca522

SHA1
97e91088c5e5b37eac80e14defa1e6f1aaeac48c

SHA256
23e178d0d786b007cce091b42cb918517d14a398133da6190eff0f69f9605878

SHA512
2ac589663a65b816739ffa77730d02429b13b1e126c0b5d323ecf80620c94f26b91c5e936253000fb99bef87d281e302c64af5c6f1aa2722b8f326effc976eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d4ede6044682e00f8049867110d515ba

SHA1
c3fcd6cdfae37ae424b3462e03ea7bf5b27603ed

SHA256
a25a8befeae8852c1f64ccaa9373895d87c6bb6aac1ca9d63467d36a2d0738b1

SHA512
4d1288939c8df6014a366c7d872aedbb3888c7bc601c5c4c80ecfff7360517604dd2af8b4fe65e5ef7aa6ac69fa746cd768315b7857e67244943bed490cc57a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
ef198d8f0f0e1aba16b58540ae2ea29c

SHA1
81240c0200a1ca9c0e7dcfadf29de052540df359

SHA256
ede0202f705f37aab8e1af52eeff67ab04614c10d79807ac4e67ef90971a71f1

SHA512
7df2b0c5e2fd65ec1e34a44bcd249abde82257bc2485bce454a2c9370f8fbd33f12078008a17efd2533dea5ccfba79953bd4017e1e614958f2bdd2cdef0db6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
1546a78109982dc4bb31b1c7d527f1ce

SHA1
bf77ccc71fe4c61753584aab33bd183edf81145f

SHA256
5a14f30eb7968148a9926f677c509607e7d3be45444368d0d244578fba7f528f

SHA512
ea8af25713cd601b93b8caadc71f49d67277c655f3b9f603e284430b3bca6ca2f1369099a0559691ad150f4a616e39eafd1b8502511eaad2415004a310c85917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
cb0c932161a82feecb56eca9fc49f65e

SHA1
1d04eb94a9444eec941903179e2abe2687b1e037

SHA256
a4d162a9a3e81d9ca4e6f9896ff6a73cd9a22d7a313a5a9cf0705dbb0b3f4c0e

SHA512
51b339ea45f46731abcb8a4c3d286d36b84d9c74607fd0ebd2f8ca352689d9dcb6fb977b630770b2c31d3d95eeac56ee3e70df58268a1c1eddfb3234594d2b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87c010506bf27d41a003f162913a379f

SHA1
a1c85504a61e37257280cb52c67c5fe50191d515

SHA256
78b8d7b91c614de8d596783f61babeea4f22ed8089c5f385963c623b3af23866

SHA512
d2f7f65c8babade413fc6ca7e8ec7775849cd9a00e7b6c59dcbaededa35d2f6663f0ebe7a5d57d58ee748d879b9fdd3bedad1b369a8a3c248f8ffd1570f5ea0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab63e75eb37e880ba3d83ee5bdf86312

SHA1
d3cddaef0070e39678415a65c43ce58f44ecc8cc

SHA256
c467c987af040bfb7f50ce36dc40943a237de889bacfafae1227b434dd46ee75

SHA512
7af66b0f22db105be5a6074e8829148961158a795e2cc0c17d5e4ced69ec0ffe1b0d25d8701409977c46dce8132487d1f84c95520a0a9e32da22a70445341df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7168211f641255d088bc0d01321a8fd

SHA1
567fdbe4301f2061a9ae07de094c3d39700b676e

SHA256
d52fb96a14cf6e39242e85ad0934bec9be3ce7ddb5afd31bdd6f5bfdc127f36e

SHA512
66aff7b69c24ef48fe85f2807f4c205d194e0cdd09e28c959313fd9747c3114de40a5cf5b5c0f5a8722d3c0e24e9913e8259836132798505ad2a30745af276ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2fd2b9e0c119f84be455e7ae5519b3b1

SHA1
dffc492100ad3187ce62b80d9de24ba942a09f7f

SHA256
fd011f752c89861d256cdeb1e9c5d9b0bb9bbdf79640691dbe4e9ff4ba610094

SHA512
96fcb46e49634122a9b9146d6f7fd2d47e4f82ca9888817e2d2b96cc87105dab5fd50111e14849c1519d1e3905e70253b773358d30eea1596c3df3453e6d9f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0c3a53143019fa1f4aa995bf82e9b9ac

SHA1
139e97d34bbc8b0608eab7440e83919d96fb9493

SHA256
dd7ffbe279f4ff8d10844ba668eb95c8b2db3f29e73fe99ba93f639942502b7c

SHA512
8fb01e05724ba4773910bad56a95bc2d29e37339307f17ff73b715130de098237f54dd18f2539dae8531784680932c54a008a1cef4f68b162223f2e3c4a43ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
579a46d42eefaceb00b77d60bb653d4e

SHA1
434e5e0dea76d924b4b48613984d7f7c66daa9a5

SHA256
ec53af5bd732fb70344c80f0606da8d7b56959119097d0d0b19b78b4e081e03f

SHA512
05a773a883c5d7d248dcea6ed9eac5bb47fd62c7134fdf66b259941f050e9a49bdf13d14dc354ea696c8a2298a1c87c4abcb9d6106530b5cc0c81e6774ed5505

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
880e5b01fd499ae0e8b648ee2e23536e

SHA1
2b709a1076e6cc38f9dba8169511872f4a8083f1

SHA256
0a291bcd5d2e4475198c86ab6375b8520d0469abe6044cec63378acecef91927

SHA512
8de249b46774e9edf43f774059b43096e95bde5041731d30eeb97dabcb8c8f2229da7029d5cfde887658279b5dac05c74d4a952592c59812e346940b64049138

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
63692f0baadd3a178fe1ee178e26c977

SHA1
706f9bd71dcfb18661928b87e2dd09b7ab06aeb7

SHA256
00946ffd6f1fce53029d907561d00100ac396b748dd4122230ffcd18bed49da6

SHA512
73eb39e975e3dbdc32400bd9a3d73799001572f6bdc0b11252655ce81c3c907c61ef4ae83a746f4778dc7707c6a13b2b4fe9404a1fe706edb32fc97875fa36f3

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
f48ac896fb663fd07dc580383eaeaefb

SHA1
fa6e093a89f50fe3ada63d5f6d41bbb0d63e7e8b

SHA256
c345c4f3d5e52267423947d6c741215728bdc4eff8952d127efa24a175eac8f3

SHA512
5bd867fcb48e638d2c451ec8713e456bccc455bccab7bc3c29cc77769a7a1ff6464d4ed9443f28ec0ea807c92d9d41ad09daf33d0c212b352a6accdb0b198ce4

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
cb46ee4b4f58547cd7fd3464183aac35

SHA1
abaec42df80204966dd0f91ba889bdbbbb06c065

SHA256
ba8207d8d15ddc8bcf100378c60ab0368e8a543095c0633d40cce69eaa0a096b

SHA512
222f466ca213703b8ac707e7fc1cfd45c9d04e22f7ad9c29786a576b0654705f98f47a4f3c9c4e0642097c17cd8ddc275611fc03c31f3c016abde05f597474f3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
b23fd1e24b5aad3ecc5bc8a71e1f3d17

SHA1
055000e1c33337817b0521de983895e39c2d7cd6

SHA256
9bc2cc112bd4792fa876ddd58cb8eb6f91da46a399276eca0195d517ba021d10

SHA512
3cccd94eb43fae707e683c3f843293529648448e5b74a3819073864ae2d5586564d70e7b289e249d546bfefd29b9b5073453f2f4e4c94fabe4fa8d7703e72a0e

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
1cc0bb8f1a95ccb3ae63ed99bc2fab01

SHA1
da9309418a6dd255ef04f9b10193fb201d131d69

SHA256
65d6a6e962bfcbb2118b53ee3dcb53f7e925320848f9dc03437e7eb2ff49fc34

SHA512
ccb655559d36e3a69ae9c4b7244de38eec459a49b5d6071ff5e1082da2c4ee79e27e8137013ba197e32cd160417132a8cc64b92ed58bc25b3930e96d128aacc4

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
95ed72a0ce02e55e024d3b7db60ddcb9

SHA1
b50492562f995080327a2d8f068dba201dc10fc0

SHA256
144db3fb0441d712e6ef76029881e9fb39ce29c882fe8ba9064b6aa08d6f5eb4

SHA512
c3d8bef13ce54196c056c310e2378a803e993c5f7d921d0edc71ce43f52cda7f704ba257e190c31e5033f454e913b4a58dd8064129d2b2ba832be353a957dfd6

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
7077769407b2e0783d141b46ebe5167b

SHA1
8afbc5e1a028aa496a4064c560645e126ca5fa07

SHA256
c9effc55d75c5b1bbd9a7d91f8f5d15698b3f7d2f49c8874cf24f06a2dee7533

SHA512
ee0377d6a90f52ad6fbd756dcd9c627acb2dc56b062796b5ef1d42b098a6d7d38599b4a81f729cfffc80a9f759433d63e08a7e2e0fec29207d591031c9323055

Download Submit
C:\Users\Admin\Downloads\110421729828813.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 146831.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
617c40e8bcdd468e0fcbb018534ba61e

SHA1
53747d492cd1605dc33a3d81950240da65e4468c

SHA256
7a585ca1e6d7f42a1653cce320c65b72649bd650b579ee5534aa3964e6c83e4e

SHA512
2e5f78b387a5fab1be3f4f35c4bbadc754def02adadc8825ffc0394600efcf42b901a4594ef3711ee0efee467906238eaf74a632676d1e23f1888a9f1a2bafba

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
memory/3508-305-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download