17b964d940a8290f090724e7353cd32091da72076aa8823e0159c05b94b3e538

Analysis

max time kernel
78s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-06-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

452KB
MD5

aa8a80fba6bf763cf203df243cc67e32
SHA1

5472dedcc20a5b341c11834799901bbb06080bfd
SHA256

1f0841edf877133a15a931a6d98eb84d83657b9f64e4395fdbf4988b1579073d
SHA512

58ae8e054df8f0d8b7a686d1a95d094ebb8330531da6ecf2d43b3b278a6b3c0378aa5c2609c36f0a4f1e96a204def392a6b6e5ae92c46be5c9a6ff1234b9f89f

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\TEMP\readmee.txt

Ransom Note

Good day! If you are reading this letter, then most likely you are simply out of luck and you have my virus on your computer. Your computer was infected with my virus. All your files on your PC were copied to my server. I have a complete copy of all your data including: passwords from sites, correspondence in social networks. photos taken with your webcam and video recording from your webcam Your files have turned into lock.file and only I can decrypt them I also have full access to your computer, and I can see everything you do on the Internet. My virus has deleted and encrypted your files on your PC, I can return all these files to you. I am asking for a modest $ 200 dollars ransom to my bitcoin wallet BTC Adress 13WDsG32nT9TvaK2uc24Pk8WLLejKTPXJL You can buy bitcoin on a cryptocurrency exchange, on exchange sites, or through a request in a google search engine As soon as I receive the translation from you. I will return all your files to you and leave you alone forever. The virus will be removed from your PC automatically after you pay 200 $ Attention!!! If you refuse to pay me. I will sell all your data on the shady forums. Your photos, videos, webcam recordings and everything else. The choice is yours :-)

Wallets

13WDsG32nT9TvaK2uc24Pk8WLLejKTPXJL

Signatures

Executes dropped EXE 1 IoCs

Processes:

zzz.exe

pid process

1648 zzz.exe

pid	process
1648	zzz.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sample.exezzz.exeWScript.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	sample.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	zzz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzz.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzz.exe	cmd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c22776b3-6cfb-4671-9ad4-3926fc66350b.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220614092917.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 5 IoCs

Processes:

cmd.exemsedge.execmd.execmd.exezzz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	zzz.exe

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

1776 NOTEPAD.EXE
6116 NOTEPAD.EXE
5784 NOTEPAD.EXE

pid	process
1776	NOTEPAD.EXE
6116	NOTEPAD.EXE
5784	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
740	msedge.exe
740	msedge.exe
4668	msedge.exe
4668	msedge.exe
4768	identity_helper.exe
4768	identity_helper.exe
5268	msedge.exe
5268	msedge.exe
6044	msedge.exe
6044	msedge.exe
1856	identity_helper.exe
1856	identity_helper.exe
2800	msedge.exe
2800	msedge.exe
2144	msedge.exe
2144	msedge.exe
4780	identity_helper.exe
4780	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeNOTEPAD.EXE

pid process

4668 msedge.exe
4668 msedge.exe
4668 msedge.exe
6044 msedge.exe
6044 msedge.exe
2144 msedge.exe
2144 msedge.exe
5784 NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample.exezzz.exeWScript.execmd.exemsedge.exe

description	pid	process	target process
PID 1340 wrote to memory of 2544	1340	sample.exe	cmd.exe
PID 1340 wrote to memory of 2544	1340	sample.exe	cmd.exe
PID 1340 wrote to memory of 2544	1340	sample.exe	cmd.exe
PID 1340 wrote to memory of 1648	1340	sample.exe	zzz.exe
PID 1340 wrote to memory of 1648	1340	sample.exe	zzz.exe
PID 1340 wrote to memory of 1648	1340	sample.exe	zzz.exe
PID 1648 wrote to memory of 396	1648	zzz.exe	WScript.exe
PID 1648 wrote to memory of 396	1648	zzz.exe	WScript.exe
PID 1648 wrote to memory of 396	1648	zzz.exe	WScript.exe
PID 396 wrote to memory of 1952	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1952	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1952	396	WScript.exe	cmd.exe
PID 1952 wrote to memory of 4668	1952	cmd.exe	msedge.exe
PID 1952 wrote to memory of 4668	1952	cmd.exe	msedge.exe
PID 1952 wrote to memory of 1776	1952	cmd.exe	NOTEPAD.EXE
PID 1952 wrote to memory of 1776	1952	cmd.exe	NOTEPAD.EXE
PID 1952 wrote to memory of 1776	1952	cmd.exe	NOTEPAD.EXE
PID 4668 wrote to memory of 224	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 224	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 740	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 740	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 4836	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 4836	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 4836	4668	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avtzap.bat" "
2⤵
- Drops startup file
PID:2544

C:\Users\Admin\AppData\Local\Temp\zzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzz.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\TEMP\sait.VBS"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\TEMP\sait.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://openff.sytes.net/
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff866bc46f8,0x7ff866bc4708,0x7ff866bc4718
6⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
6⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
6⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
6⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
6⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 /prefetch:8
6⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
6⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
6⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 /prefetch:8
6⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
6⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
- Drops file in Program Files directory
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76ae25460,0x7ff76ae25470,0x7ff76ae25480
7⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
6⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
6⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
6⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
6⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6468 /prefetch:8
6⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5847493507841029823,1365642963481212761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
6⤵
PID:5692

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
5⤵
- Opens file in notepad (likely ransom note)
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\TEMP\sait.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://openff.sytes.net/
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff866bc46f8,0x7ff866bc4708,0x7ff866bc4718
6⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
6⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
6⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
6⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
6⤵
PID:5724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
6⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
6⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 /prefetch:8
6⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
6⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2057027980829952021,15031776850369837852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
5⤵
- Opens file in notepad (likely ransom note)
PID:6116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\TEMP\sait.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://openff.sytes.net/
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff866bc46f8,0x7ff866bc4708,0x7ff866bc4718
6⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
6⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
6⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
6⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
6⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
6⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
6⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3192 /prefetch:8
6⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
6⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
6⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
6⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
6⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10395231643451404619,3541818117842544348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
6⤵
PID:5140

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
5⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TEMP\readmee.txt
Filesize
1KB

MD5
3cf268847ff191b38301b7ba494a9e9e

SHA1
b43e62f74ca751e589dfe3cbad95c5cf6dc40412

SHA256
e8185df72b73f746eab586b1cfd28fa2c9aa2c87e2e763579213aa39b402ceb6

SHA512
2279151d5938dffb97d6d9d520a4a25301c98828aa6eb66949a6898ccd1652b033a1eedb940ea9d5b5895986cd48a399f9bc0d0c003aaf46cef41279aba0c8f5

Download Submit
C:\TEMP\sait.VBS
Filesize
41KB

MD5
c4033520521cba801391480c11693390

SHA1
ed72adab6fe63ff888be022899455d471ce73318

SHA256
1b0d802605c8526efff650bfad7e25bccd5235128463ffe7ab174d21ee830202

SHA512
5de22b59da8e170f009e88e12d03090bc090ff7b402d432adc2fd3aa87c83e5e58423c4682631be87a1d950061d80f3ba8f1a8d2141e91087b76ff5f95dfd7a0

Download Submit
C:\TEMP\sait.bat
Filesize
59B

MD5
e64113f4aea4af810e0ae0cf058d76c1

SHA1
a4f103754b39ffd38a0d2e4f11699ff5e25de721

SHA256
b39e17b6e906c3923a037b9c69e4acbaf23a879f01147d23302e19c05ee94b4a

SHA512
be25307634106d92442455aa604e2bc89bca5d483ab947c7457bd1918eff3d359a4b61833dfb1e0bff1a8a74fee0de2d9b024e32711078d1c7a9806891ce91ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57edd71e745e1b780414824f89ee8f0d

SHA1
1f7b02b19ca7dc11ddcf7e3de234d003260fcc0f

SHA256
e3631298c4e797d1442180a4170e85087059de3775105bfd29ac0554ce9420bc

SHA512
7bb50f5b38727d08a44570e7e946b4cce4e0d6e5465118695fff67f38fa4f7d54aa5362a37f6d5c05323d3413abf9325e90d5f20bbf89d5c4e35d2ba3f528ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e2f74ff425b65f2e462d7aa66762d20a

SHA1
c8f226d4d8fcfc2a51c3ffe21cf6a1b9307c189e

SHA256
3bb273c363b2d62a30f353517cca564d34e0f9c4b371067d0adebc592c53bfce

SHA512
f24570fd92b45c5364f3b2fd87b8e9df78817aaae78fb4b1d8d1ebc125a1595fd6bf66669e0a715c66f3e9f3051be15caab875726d6c455f63ab511631547cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
7e4b01f186c39e104e5f227adfe00cbf

SHA1
2fff452f4b67402c832d9fc01c387bd713819dc7

SHA256
68c61bbf267d05be8dd20377bad8be476d89a3690fb2a3d77a758aedd6b180fc

SHA512
693ef47d8e0d574c0957a0384f587631f650334c78805193441fe845786aa04d86a2a50fc6088b4e649fe4e1ecb0d04ada8be1d472e343cceadf7ffba844bd22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
b64100b297fd7295901f0236577a24c2

SHA1
d4d065d855720e02d14bc20b77b4db983f5a4a44

SHA256
ed33a26ac982ca629466c82a5954f192a1ad800a3dd33b92d4ad3a2d8abf7511

SHA512
8fbdc5f01f6b0a884ccea0e4f61e9d126d4fb67cb04c721e738b13b351fc1b16e4462257de173771178473692905f88872f982f7c4c16117fbf35228fe1a0a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
20KB

MD5
8f94c0652e94b2e878b5b14ebbcc5d9f

SHA1
6b0fb9a25d8cfd3847ae02b551356e09e39e589d

SHA256
f84a60c04a75b025a2d85e70adb477340fa33e647edfdc9dbb60be49c45cf2ca

SHA512
bce2b45858c5d0201c0cfbf5086386abe1f6cb10cbb06aa8363ff961079a419f684ec849b83940f998eb8545a58d359643b297a8b9dde7fda91c375813d9c6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index
Filesize
256KB

MD5
3786b56825a4ff3fcb42451b59aa4f3b

SHA1
303fa976297a386391f9aad6da391c20fb70a64c

SHA256
b942948d41a7ae49c0201ae7143d813d0c00aadcf8b447a0d5dbdd069a7966cd

SHA512
459eb6d9376c4219d61e81f6d19e74650d2a9404c25953d45ed903865052a5bb9114e164a0223b31c4e6237339e1c2930113d7d18429d4a48b5893ca3346fec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
53e8585f23b89e4d48ace551006ac2c0

SHA1
fb75058a3efb663b21585278fe37c8f909475803

SHA256
e5b36ac1e2cb1ff7f56bd9cec73cc414c30affa870f1c62801d947eda3bb2077

SHA512
9733d8635fcc556a3ec58654c30b91293c4e8bee15953df44cbda2715a1e430dc511c240c56d45f8f6e953b77731ed7282d46b6f38965872c4cc1864aa7ae726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
9648b61cf547c74ebfd5d58d8b9508e5

SHA1
7f183f759aba7582ee6a1bf306b559cfab2962fd

SHA256
b0b8594fce4b1b57bb18433bf8d8213769d73f752c7c4536ef54ff91d17036a4

SHA512
bc08032c4799659340a1c0d74a351c478b4f12bf05998aef2d44a325567f4b38b49353f74a22c25f68a9333371a37cf07e34cbc23310da5e2df163aad7bb8493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log
Filesize
99B

MD5
39cd8aae72310bd79f576a42aeff1f6d

SHA1
eea86496223037fd1da0ff494b4f33cba39894c1

SHA256
cf866ea12b3aabbccfc5f59377edc028538e1656c1ab87d27b202ee23b191910

SHA512
6d1bca1929be8a9c598baef3354fd42ae66e4a727e35778b1fe151cb2985d3465facaaac2a6459ea7c0b96663bd7bfc58fb5a3e7d76911d7410b398df6d3bbcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG
Filesize
297B

MD5
c007d32823921905b684136be01b5c9e

SHA1
affb5d06babf8fade6a7db0aa409fc9499f25611

SHA256
92b8f8f4cf5a8d634aabebd7497371306d26d6d1cdb4a6ad16fec5ceba5a62b4

SHA512
22e2c76d10077f5bf7dd78d9087509f073aa9d1f0ec5a7472146bffce4b1b15768f608858979f27ecb00c6fba255efac15f93ecc39b6f53ff2a7393b28fed98f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13299672572850429
Filesize
7KB

MD5
95e4a854cddb7614caa8894b64b16560

SHA1
80beff714b5633c94369dc54e1650ab79d68fc50

SHA256
327d5081b3c4f037d6ea140d9623b0b022a099c7bf2f4a23004b5b4e356c796b

SHA512
279167055b714d4bcee788b95279fb09deaf04423f395433c33733c6c0c9cb8ad2e53259f8b0f26972af6b920eb577e89e32e9ada693ae1d7b567457a5d06dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
82022f0985a6b3511ff0c60ad07a25c7

SHA1
acbbc8a6e716a277b1c8a637b99d91b3ccb29b96

SHA256
658cde28d74c9b89a275f7576dda3ca6a666d7d552a0a7160d6e7cabd9342381

SHA512
f1f3eedafe141b573fcbac05dbf816c6142f15ef9d4db38fca73ed3f2911953cefdbb29f0fe79d3e783af5d10c21eb7fe239e3f055cacfd94df50b8b198c3ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
350B

MD5
4a29edceccfa9897bac5cf9e07873e34

SHA1
d5a7f163d4b9da435b22894c52a7120dc442c22a

SHA256
e068f955d6ca27213d516a315e6e69b5be8954419b651e11d278273eb73ab606

SHA512
0ea008c2685e4b0f6b53f00250a168bb4e877c42835acecc0c30134ccc50fa58603b705b8a970352b5a0fd8dcb4e0eb48da100d41741d657e25443a03445b8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
1925f0c82ad9d5498ab1d4a2ad2cfdb1

SHA1
3dc8bb88f8af952aaaa8480d3630223c5b459d50

SHA256
8b96e8bce46b20e9bc226badc5046eeb1b66ac170848a5b5f74be8d2b67cbaa8

SHA512
4b5759f76b76391290468d0b3512f3b7129f44ed8920723390a96d5c911bfec6566319c43bfbadc056e09bb3f42134d7efe3b7bada8424c2ac25fa3c8c3a89f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites
Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
6c049f3f1c08b8b1dc3424e0cef65090

SHA1
417aa35c3a443d370f0ff95befe245ae0157c146

SHA256
a7456d2e5b5080cdd164f51c2162f000c6f54499d4801181c437005478416748

SHA512
c8517e96c964e23945398bb23e0970103bfd945594163c2e2aeca0fb9f972fec3a84f428bd7525ed02c94955220975123b97430148b7b59d175db0b0f7ba4970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
Filesize
1.1MB

MD5
9e48a232d1391c162e48878ab7ab82af

SHA1
fab179d0168a13135f6266c60f967da3e3c56347

SHA256
2b4f00ac5bb58169fda5b7617d4d3aa4c912ee0a94193594d3f9d3ec82dbfd74

SHA512
2daa6094613b677050666f2fcc4bd23d91e3429d2c640253a3f8b06d7dff35658192fdf6e8b53eb82337991e64340c5008b446932afacec0cb85cca439ee49ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
297B

MD5
2c1f5d3f1cecf051a39f48421a15d742

SHA1
96e4b5ee180306ad27f9ed939e139a8754bdac2e

SHA256
b3d1b14fca3b07f233fe02d5b53aa0b83a67b083fdcee70c6f8ae0d448a9c0a8

SHA512
f71f27b36f8d0b188f122d32f2fffc3e24b5934d54f1f0d2700d9b9e16b783ce4920b3fc21d67ec5c5e0b7bc3186aeea769253f5a24f15afecdc2a4f801ec63b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
de6d26c4b0774a7b451984b57c37a53f

SHA1
70ffc03aa9c29c60b49db2483d4388f19283aa68

SHA256
ab21e752e96069a86cf693d63dd2270c430122c0b97b4cc4972d04be1f321737

SHA512
223c913c3b9f8bbbcf619791e85c7504c4580dcfbbad1d89f1eb236cc7a4e78ae00030ebdcc3da4091f53e3781f5aa721d0118da4cca08d7e6e0d3849ea4ff05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
c1f23e5a56e71178b4e39ce116d8f137

SHA1
7da300ebed44283a879674476731c9a2764681a4

SHA256
1d04b06ce52b229049985aa2254875dba5bc8a847c69145374dc0b13e706d5a5

SHA512
12a291c311a365d4e02f1addb6acf1b00eb2b6f1af9e4d4adc597410be743437bd894da86286bac3a3677296593a0316455b73022a476bc1ffb3d1a71f890960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637907877613494133
Filesize
4KB

MD5
23d96e813710c0791f35475df88dde09

SHA1
e381249fe0de78cf6dbeef641bae4fd78fcdcd07

SHA256
93bf6a30f1474521dcf5e27210c33fb163a7ad584adaa12bf0491d164bd86bd4

SHA512
0db9ef5c5968885699187af74e7c5b3d1e4c2df976ecd2edcdb73f31245ded99e0103f2671aadf76c7417a913269839280082fb6e85d01fa85af777f55c01354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\avtzap.bat
Filesize
98B

MD5
138e66bda2b8088226002ac13ceb7d7a

SHA1
1ed9e1b1658d8d41c0933aa1e0ba5d566577ff8a

SHA256
5cba178a4165b1bc977be7c94a9f70555305a049a7fee3c3ca883530e7e8a302

SHA512
d831da3e5759127a2a823a5ddf26d62bc3a2c801f25105a22653acc67ba45a469514928648143599fff780c3ac5e32aee91f24460982153d595768b07b6e7c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
295KB

MD5
8b2d6697c9056128cabfb8f6c3207602

SHA1
2ed8110f2c15a453982b3953ece44555919e123e

SHA256
a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

SHA512
80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
295KB

MD5
8b2d6697c9056128cabfb8f6c3207602

SHA1
2ed8110f2c15a453982b3953ece44555919e123e

SHA256
a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

SHA512
80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

Download Submit
\??\pipe\LOCAL\crashpad_4668_XNWOXPHCEKFKYCFI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_6044_TYJBMCHRPWJEYKQX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-142-0x0000000000000000-mapping.dmp

Download
memory/396-135-0x0000000000000000-mapping.dmp

Download
memory/448-161-0x0000000000000000-mapping.dmp

Download
memory/740-145-0x0000000000000000-mapping.dmp

Download
memory/1064-232-0x0000000000000000-mapping.dmp

Download
memory/1116-144-0x0000000000000000-mapping.dmp

Download
memory/1372-162-0x0000000000000000-mapping.dmp

Download
memory/1412-236-0x0000000000000000-mapping.dmp

Download
memory/1648-133-0x0000000000000000-mapping.dmp

Download
memory/1660-167-0x0000000000000000-mapping.dmp

Download
memory/1776-141-0x0000000000000000-mapping.dmp

Download
memory/1856-235-0x0000000000000000-mapping.dmp

Download
memory/1892-248-0x0000000000000000-mapping.dmp

Download
memory/1952-138-0x0000000000000000-mapping.dmp

Download
memory/2144-237-0x0000000000000000-mapping.dmp

Download
memory/2264-152-0x0000000000000000-mapping.dmp

Download
memory/2288-158-0x0000000000000000-mapping.dmp

Download
memory/2380-154-0x0000000000000000-mapping.dmp

Download
memory/2544-130-0x0000000000000000-mapping.dmp

Download
memory/2800-242-0x0000000000000000-mapping.dmp

Download
memory/3000-199-0x0000000000000000-mapping.dmp

Download
memory/3404-234-0x0000000000000000-mapping.dmp

Download
memory/3868-165-0x0000000000000000-mapping.dmp

Download
memory/4080-160-0x0000000000000000-mapping.dmp

Download
memory/4088-150-0x0000000000000000-mapping.dmp

Download
memory/4384-156-0x0000000000000000-mapping.dmp

Download
memory/4668-139-0x0000000000000000-mapping.dmp

Download
memory/4768-163-0x0000000000000000-mapping.dmp

Download
memory/4780-255-0x0000000000000000-mapping.dmp

Download
memory/4816-238-0x0000000000000000-mapping.dmp

Download
memory/4836-148-0x0000000000000000-mapping.dmp

Download
memory/4984-257-0x0000000000000000-mapping.dmp

Download
memory/5056-259-0x0000000000000000-mapping.dmp

Download
memory/5140-263-0x0000000000000000-mapping.dmp

Download
memory/5140-169-0x0000000000000000-mapping.dmp

Download
memory/5156-230-0x0000000000000000-mapping.dmp

Download
memory/5200-252-0x0000000000000000-mapping.dmp

Download
memory/5228-254-0x0000000000000000-mapping.dmp

Download
memory/5268-200-0x0000000000000000-mapping.dmp

Download
memory/5272-208-0x0000000000000000-mapping.dmp

Download
memory/5408-171-0x0000000000000000-mapping.dmp

Download
memory/5512-250-0x0000000000000000-mapping.dmp

Download
memory/5572-173-0x0000000000000000-mapping.dmp

Download
memory/5668-261-0x0000000000000000-mapping.dmp

Download
memory/5692-175-0x0000000000000000-mapping.dmp

Download
memory/5700-217-0x0000000000000000-mapping.dmp

Download
memory/5724-228-0x0000000000000000-mapping.dmp

Download
memory/5784-239-0x0000000000000000-mapping.dmp

Download
memory/5916-241-0x0000000000000000-mapping.dmp

Download
memory/5936-244-0x0000000000000000-mapping.dmp

Download
memory/5960-246-0x0000000000000000-mapping.dmp

Download
memory/5968-176-0x0000000000000000-mapping.dmp

Download
memory/6044-177-0x0000000000000000-mapping.dmp

Download
memory/6068-178-0x0000000000000000-mapping.dmp

Download
memory/6116-180-0x0000000000000000-mapping.dmp

Download