wannacry | a59e7c4d5e92665f25d5c93eba73804364a8ec3cd600fc10f5ece38d60c15d46

Analysis

max time kernel
976s
max time network
971s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-03-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crack/Keygen.exe
Size

47KB
MD5

38f93b2d9313c53f1de7222550f1d6d3
SHA1

11384e7845abff814eb04e4c6fb35a28003814fd
SHA256

244113c644ffe40bdd67d23d1d6261ccf7875af5ff5b80b1ecacf84d7542a487
SHA512

cbcb370b1cbfe62b85d3236345ff937c88226f3bbce728a66f0cb303fec35402fd105e680da899afb7ff74c8ab8687c8e039a3fabf1b072cc58ee2e51472f3ba
SSDEEP

768:pXMi+u07J5Q9tTD6IA6WfFhi9ShUD+G3eKf05txp/2/UM5uYEYwt:pchvQHD6I5WfFIShUr3XSp2UM5u7Ywt

Score

10^/10

wannacry discovery persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCrypt0r.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEF31.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDEF47.tmp	WannaCrypt0r.exe

Executes dropped EXE 31 IoCs

Processes:

NRVP.exeWannaCrypt0r.exetaskdl.exeWannaCrypt0r.exe@[email protected]@[email protected]taskhsvc.exetaskse.exe@[email protected]taskdl.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
2008	NRVP.exe
1964	WannaCrypt0r.exe
236	taskdl.exe
4132	WannaCrypt0r.exe
3968	@[email protected]
2440	@[email protected]
3692	taskhsvc.exe
4500	taskse.exe
820	@[email protected]
1820	taskdl.exe
872	taskdl.exe
1624	taskse.exe
2492	@[email protected]
1344	taskdl.exe
4820	taskse.exe
4748	@[email protected]
3528	taskse.exe
4544	@[email protected]
4120	taskdl.exe
2968	taskse.exe
1984	@[email protected]
1404	taskdl.exe
4656	taskse.exe
1972	@[email protected]
1012	taskdl.exe
2184	taskse.exe
3808	@[email protected]
4644	taskdl.exe
2492	taskse.exe
3868	@[email protected]
2120	taskdl.exe

Loads dropped DLL 6 IoCs

Processes:

taskhsvc.exe

pid process

3692 taskhsvc.exe
3692 taskhsvc.exe
3692 taskhsvc.exe
3692 taskhsvc.exe
3692 taskhsvc.exe
3692 taskhsvc.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2792 icacls.exe
2284 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe

pid	process
2792	icacls.exe
2284	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\d731aa97-a4d0-4f75-ac73-2a12fe6b7de5.tmp	upx
behavioral2/memory/2008-632-0x00007FF776040000-0x00007FF77604C000-memory.dmp	upx
behavioral2/memory/2008-635-0x00007FF776040000-0x00007FF77604C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vfjxtaorfuauqli296 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

55 drive.google.com
108 drive.google.com
124 drive.google.com
16 drive.google.com
54 drive.google.com

flow	ioc
55	drive.google.com
108	drive.google.com
124	drive.google.com
16	drive.google.com
54	drive.google.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCrypt0r.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2356 2440 WerFault.exe @[email protected]
3268 2440 WerFault.exe @[email protected]

pid	pid_target	process	target process
2356	2440	WerFault.exe	@[email protected]
3268	2440	WerFault.exe	@[email protected]

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

NRVP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	NRVP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000"	NRVP.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2852 reg.exe

pid	process
2852	reg.exe

NTFS ADS 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\EULA.txt:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Password.txt:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.7z:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 172492.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 419755.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

4420 NOTEPAD.EXE
3840 NOTEPAD.EXE

pid	process
4420	NOTEPAD.EXE
3840	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exe

pid	process
3948	msedge.exe
3948	msedge.exe
2164	msedge.exe
2164	msedge.exe
3792	msedge.exe
3792	msedge.exe
2060	identity_helper.exe
2060	identity_helper.exe
3164	msedge.exe
3164	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
1676	msedge.exe
1676	msedge.exe
2152	msedge.exe
2152	msedge.exe
2060	msedge.exe
2060	msedge.exe
1604	msedge.exe
1604	msedge.exe
5012	msedge.exe
5012	msedge.exe
2172	identity_helper.exe
2172	identity_helper.exe
2340	msedge.exe
2340	msedge.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe
3692	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

808 7zFM.exe

pid	process
808	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

Processes:

msedge.exemsedge.exe

pid	process
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskse.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeRestorePrivilege	808	7zFM.exe
Token: 35	808	7zFM.exe
Token: SeSecurityPrivilege	808	7zFM.exe
Token: SeTcbPrivilege	4500	taskse.exe
Token: SeTcbPrivilege	4500	taskse.exe
Token: SeIncreaseQuotaPrivilege	3680	WMIC.exe
Token: SeSecurityPrivilege	3680	WMIC.exe
Token: SeTakeOwnershipPrivilege	3680	WMIC.exe
Token: SeLoadDriverPrivilege	3680	WMIC.exe
Token: SeSystemProfilePrivilege	3680	WMIC.exe
Token: SeSystemtimePrivilege	3680	WMIC.exe
Token: SeProfSingleProcessPrivilege	3680	WMIC.exe
Token: SeIncBasePriorityPrivilege	3680	WMIC.exe
Token: SeCreatePagefilePrivilege	3680	WMIC.exe
Token: SeBackupPrivilege	3680	WMIC.exe
Token: SeRestorePrivilege	3680	WMIC.exe
Token: SeShutdownPrivilege	3680	WMIC.exe
Token: SeDebugPrivilege	3680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3680	WMIC.exe
Token: SeRemoteShutdownPrivilege	3680	WMIC.exe
Token: SeUndockPrivilege	3680	WMIC.exe
Token: SeManageVolumePrivilege	3680	WMIC.exe
Token: 33	3680	WMIC.exe
Token: 34	3680	WMIC.exe
Token: 35	3680	WMIC.exe
Token: 36	3680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3680	WMIC.exe
Token: SeSecurityPrivilege	3680	WMIC.exe
Token: SeTakeOwnershipPrivilege	3680	WMIC.exe
Token: SeLoadDriverPrivilege	3680	WMIC.exe
Token: SeSystemProfilePrivilege	3680	WMIC.exe
Token: SeSystemtimePrivilege	3680	WMIC.exe
Token: SeProfSingleProcessPrivilege	3680	WMIC.exe
Token: SeIncBasePriorityPrivilege	3680	WMIC.exe
Token: SeCreatePagefilePrivilege	3680	WMIC.exe
Token: SeBackupPrivilege	3680	WMIC.exe
Token: SeRestorePrivilege	3680	WMIC.exe
Token: SeShutdownPrivilege	3680	WMIC.exe
Token: SeDebugPrivilege	3680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3680	WMIC.exe
Token: SeRemoteShutdownPrivilege	3680	WMIC.exe
Token: SeUndockPrivilege	3680	WMIC.exe
Token: SeManageVolumePrivilege	3680	WMIC.exe
Token: 33	3680	WMIC.exe
Token: 34	3680	WMIC.exe
Token: 35	3680	WMIC.exe
Token: 36	3680	WMIC.exe
Token: SeBackupPrivilege	4128	vssvc.exe
Token: SeRestorePrivilege	4128	vssvc.exe
Token: SeAuditPrivilege	4128	vssvc.exe
Token: SeTcbPrivilege	1624	taskse.exe
Token: SeTcbPrivilege	1624	taskse.exe
Token: SeTcbPrivilege	4820	taskse.exe
Token: SeTcbPrivilege	4820	taskse.exe
Token: SeTcbPrivilege	3528	taskse.exe
Token: SeTcbPrivilege	3528	taskse.exe
Token: SeTcbPrivilege	2968	taskse.exe
Token: SeTcbPrivilege	2968	taskse.exe
Token: SeTcbPrivilege	4656	taskse.exe
Token: SeTcbPrivilege	4656	taskse.exe
Token: SeTcbPrivilege	2184	taskse.exe
Token: SeTcbPrivilege	2184	taskse.exe
Token: SeTcbPrivilege	2492	taskse.exe
Token: SeTcbPrivilege	2492	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exemsedge.exe

pid	process
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
808	7zFM.exe
808	7zFM.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
1604	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

NRVP.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
2008	NRVP.exe
2008	NRVP.exe
3968	@[email protected]
3968	@[email protected]
2440	@[email protected]
2440	@[email protected]
820	@[email protected]
820	@[email protected]
2492	@[email protected]
4748	@[email protected]
4544	@[email protected]
1984	@[email protected]
1972	@[email protected]
3808	@[email protected]
3868	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2164 wrote to memory of 3960	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 3960	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 4896	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 3948	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 3948	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 2844	2164	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4480 attrib.exe
4532 attrib.exe
4272 attrib.exe

pid	process
4480	attrib.exe
4532	attrib.exe
4272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Crack\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Crack\Keygen.exe"
1⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff180b3cb8,0x7fff180b3cc8,0x7fff180b3cd8
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
2⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
2⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
2⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
2⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
2⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1
2⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
2⤵
PID:5108

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\WannaCry.7z"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
2⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1772 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Users\Admin\Downloads\NRVP.exe
"C:\Users\Admin\Downloads\NRVP.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
2⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
2⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
2⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
2⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,4150326682630980879,5732140385724214458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EULA.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff180b3cb8,0x7fff180b3cc8,0x7fff180b3cd8
2⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
2⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
2⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
2⤵
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
2⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,17642991178552607189,9024936075371965046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Password.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:3840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Users\Admin\Desktop\WannaCrypt0r.exe
"C:\Users\Admin\Desktop\WannaCrypt0r.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1964

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4480

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2792

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 307291709973327.bat
2⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:2120

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:4532

C:\Users\Admin\Desktop\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:2564

C:\Users\Admin\Desktop\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:448

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 260
4⤵
- Program crash
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 260
4⤵
- Program crash
PID:3268

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfjxtaorfuauqli296" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfjxtaorfuauqli296" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2852

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4120

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\Desktop\WannaCrypt0r.exe
"C:\Users\Admin\Desktop\WannaCrypt0r.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4272

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2440 -ip 2440
1⤵
PID:3108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2440 -ip 2440
1⤵
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
583B

MD5
10319f9ebaab5ac84995290bf961664c

SHA1
0575fbe6e0c4dceff0e4af6b6eb97e1bc2220541

SHA256
aa2e8a7f4eee7b51ff6c5cc4b02af04dcd8bf8af6374858cdde26407c5eb7804

SHA512
ab5accffb45186912c0ee6b3914da66facba6a4a2e1aa47a5fdb1f5a68e04d71f89480720d07124e35d2ca299ddc852eedc53809235924608fb82f56aa6fb3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e44dc459042dd778c5b3e53f5a35e301

SHA1
1072b96021db664642e198843b27396a35f3ed7a

SHA256
7198d7a7a2528a84429079669fe60fdeef94dc4d9fed28c5d33b03343fa32fbc

SHA512
25b8ed11d865030670372c83ce1254166db67c1af57c025c126ea20a6058a28d7399ef0ff8eeb1710e666e2b2d416708e55c16655e4106583b27667cd51507c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
00da7a9ead816e3f2d1b30bc4b6a7ed7

SHA1
28b73d3f9c60220aa57e2e2a8e96155591d23bb9

SHA256
b32cf950d9ac1552ac85e1ab6de8944972ff5365659b6a56b7663e15a65ecd9a

SHA512
8af4c311c80a1511931fc7de1a2c7f4f7b48977216d07c7ec15bcbeac4f5013d63314b8f20c8d2505d34b061ea0e1966a9646b0dfb71642f18e21e0fb826ae4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
341f6b71eb8fcb1e52a749a673b2819c

SHA1
6c81b6acb3ce5f64180cb58a6aae927b882f4109

SHA256
57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

SHA512
57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
300KB

MD5
c9db0f346a60fad73071ffe5ec8cda68

SHA1
33dddfb5c96eb606b8aa8d48905fcec567e34258

SHA256
87b14bbc0b0f9fbd1a30fc9ecc6cca9c9bb3f4399b4dd483c4719f81dba44438

SHA512
b7653ecbc25a8a010740791b000c0630b4c0cffd420a50c4cdd99a5e7d159475ef0c5b25e47bea09c2727fe8caadd0f0ff583fb8723d544d1040a9894d98ba75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
76KB

MD5
8bf78a475e57f6c79250e5d7dcc7ec38

SHA1
2c7fa5fedc3b6596d301d969a8be4a8ffb80b63b

SHA256
e6520240cf17df0c35a6da374ae01f07a225c10c64d81d6344047ae10e418bfc

SHA512
0d9359eabbeb51d3a2b415af8b57660de33f446d81ecedfd01df0696aa0395841787ff103f47fdb7a356f27631bd5b8272b4d912b4e928ce23d47c32a38059e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
520KB

MD5
0c4e5c1492123da355d80565ec7a7aeb

SHA1
6eac48e968eb56f22fd68e8ae9c75c905f9b2e74

SHA256
185bd62e71792b6c947c4020679fb6685db92daf2391dbb3113586f84830ad03

SHA512
939e966818725631114e4d77125a973833ac35a898ed9c0d88818aa70bae195bf25fb7a1d63c35071438e0d2652bc8e063e0eecddc02cd23150c56be5b52d673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
35KB

MD5
aeff2e86c8ad785aa244e7c8fd59225a

SHA1
640063183f6049c4f83edab5ceacffce5a21db1d

SHA256
32ce145b63920125c915daa877c98211b145f3bb38c64df60ed6ba4cc670d9e6

SHA512
2152511f47fcba32193107871b03a7940e79e0e795dbcd2a3bcfdbd55da9295660607614ce77286bac655624c5694f0467fcdc61f2412f6abd2fb006a6af918e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
40KB

MD5
d2d0c427f1d093c36a9fd6751a9a9d61

SHA1
dbd596ab1f2256ed3e3816be5eeb75d34f38f821

SHA256
b37bce0e0f504a7b54d3a01007169d4126c2a401be8f93afe35f665e62c3e34f

SHA512
b8418e074df9619ae62461b5c42fcc42d2ffb8b099e09ec0271bb481f8e1ad8d7655fd5149d8abdbce1d35226029f200623574946d6223df1c9c14c7824d63ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
69KB

MD5
11eb05aa0a2f5ea1bdfb42720eb87244

SHA1
9d4a1443a855a66c77b956e7a5f8fb92746e2344

SHA256
e7dc5ab09b8c0a9089ff52d24fc6de5bbe66dd32547bc51ddb960ebff57221aa

SHA512
6a906aa8c93be952b841f1a11680e081d1f5070e4f402d3285722028e876264ae3c7b6212a58e0e8c618fb867c396660dc5684d02867bc4754851a71e479e929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
48KB

MD5
fee6c6f3f2bdc4efbb6762c1cd4d6d18

SHA1
e6d35b4182a999ec8ccd3f766f1d97213ca35fe9

SHA256
91f81ac16ef2da0e02f40d46fd26a05dcbfa46e86a90eb8a366de34732cdfbac

SHA512
05c13641f04a43d53f5ebba9a9d1f71ed082a940b3fe4643dea65ccb09cb90c28757fb060f3dcec62681c79163cab66aef8a48407eb7b0501db3e47679cdce74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
65KB

MD5
9d10e542362525f40a4048d7a4c170b2

SHA1
232f061f16274a49f4c6099ce884faa85adb9be8

SHA256
8ab4f0b9969db04d61420ef560f5281f05e3e340003780319e769a81e001dee1

SHA512
32e3bc6b7ddeb0d1fec43cff490be8c2b9a74861606b3ff2f8b01fbc88a3ddaa3acdd3335b0f7cccf3e9c86ca131cb181292ddbc9a234269730265d114ffdb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
33KB

MD5
c15d33a9508923be839d315a999ab9c7

SHA1
d17f6e786a1464e13d4ec8e842f4eb121b103842

SHA256
65c99d3b9f1a1b905046e30d00a97f2d4d605e565c32917e7a89a35926e04b98

SHA512
959490e7ae26d4821170482d302e8772dd641ffbbe08cfee47f3aa2d7b1126dccd6dec5f1448ca71a4a8602981966ef8790ae0077429857367a33718b5097d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
91KB

MD5
659565bc9c71bab6c0d4d9e64b1a1103

SHA1
e214d7fd1efd5f252e876502f153c0908c39962b

SHA256
9db0034d62b05400ce3afbd578d62f45f624a53d2861d9507cada598c6435aa6

SHA512
bb728686b1b43548eaee007d246b0fd9d0170e3aec6e0aeaf3b6fcabd4ed045e90ce964e5f9fc0b4f9b17d70931a13fc6c4f72b0b5d36c76eb7d5798134a1117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
285KB

MD5
a16d0b2168f6f2f7410d31311c01e11d

SHA1
80e0ff8094b8e6ec406840eee0b8f1bb179c1545

SHA256
8d5ad60db930aa4471f2e68f8cca9621a88e2e55ca903eeb9043928bd9f0d992

SHA512
f20d07156d9d4c67b0b7281d4b180588234c5e708982a29fd4187691a8a06b9e318daacf17ede5d506fe95b3ff071dd71c937b991de88fb1bd2150a2386ba9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bc87b3b58824fadab2a6f478a6b238dd

SHA1
3fa6e1eca3d25cd3385667da7a73bdecfcb67796

SHA256
839060910bd8c30b18c5acedc2d3d08e773562339f0ff4968a80e160001107f1

SHA512
ccdfe61989a7f92ccc03170eab17beed5c208738a87ae982d11f15103b8b4cd641f962bcd14be80c8798cd9927a3511587aa67477ea253ee149d5ed8aed23651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
58c7c7af4aacc27f49b52caad7c2d9e2

SHA1
637fdd2f4f6b3a7bce145e0191f280f9c94730ca

SHA256
305fb19d3048e75eca0107c4716b50026e48eb75700db07f4094b06202e5c652

SHA512
c56cfc09e01b03301221173997498728e282f0e76042cdf6c5bc41e28e69b87c963cf0ea2990bf873ea2c8603ad24af6f8d1fe50df86a012ee921341844866d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
32109cc7ef665b4164e5953e32510512

SHA1
c358cd5c0a7898c111da108f8311bb7db0dd6484

SHA256
ebaaac53e8867c6b087b54a75890fdec70ffda869c2fcc59dea71084cb40c227

SHA512
32bd2151b128b14a08c92cfb5ae4e40b82cccc899a4b14190842b09197390245d392011152a1a0826431884ba1390583320e06591f93438c0216d5b8efbff0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ce48544bac9e4549cce4bc09539e17f9

SHA1
a6e1e2348cee8681d8dd0f5000f7dc74bd394791

SHA256
388d6ad6c0b57334863e57c4f65593f5331c6ccd74f82d37e90c7e6ab02ff9c1

SHA512
07507820ccbc295c04e2d19a1846648e074e612bbf9c82c65f4b5f041fb447cf9650327671277d27bca4036789124c4dba3e6ebcf1808b787ae5a30e7b7725a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2c38659f30a88c6bb67f112705135f9d

SHA1
d73b5d2da6fb6abe1ac62b1a39320cbcbe6ed151

SHA256
8af19178b587ccb29c54da1ab132b160c828c7297affc0cb380b9f8d005d126d

SHA512
91e63e45717861e6ad9c646ab361aa4a8971aed620e3b7946ceaffe11c9a55963cb3892418a0f8b8fc323e11b6146555cccf00dd920f287e3d8be718de9caed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
9f202557e098ddd0b6f509cd975241a9

SHA1
ab0072a553c70ba5e9a865dfa97369b86d77a970

SHA256
0535a3c6ebfc96d9fa570bbad81b5aaa5e61b3b4a02daf3faeaeb8c8a9d43eef

SHA512
63b89d66d538212d1fecbc91f5c4ae990750e9fb02d06599e4d1f09440e12f7ba1bab3c276e98fc0b2a7cdfc0783c4aa6255f49fdcf975af0392cee4aaaacb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
e402b2d437bd7774bec363eaf5413412

SHA1
6794e1750413dc7177ec95541399bbf048dc5c09

SHA256
249af90e85942c356814a5c167379cab3458ac35db1f027fe672d58389f24039

SHA512
5d4515aac4cb85c10b21ee58ff08c99de8c49260323246b29e9499980ae9224ec884c7bf3d783d9f4a2235737f2c1d4b69ddf71e4447e4efa556c5d603c6654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
2KB

MD5
351327f7eb56d92f381bde594fc9a183

SHA1
97557e35bf190aba45c1d8c39c9d7e4f5b572327

SHA256
eb095c04dc355c5ee964e5201c929d0f1c38864c8537b3da3ca40a180fe711fb

SHA512
351b2a4bab4389bb752db251e815dba16dc717f7afdbdae63ec686a73c115886b894bc437b8353b1c93e34e8af886022dd1db23c9949f8f710655639f4f71bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fee5f7c9ae21c615e63ec5c1792e4fee

SHA1
557fd65ef91626cf1ee5a16d93564ddc47ca547e

SHA256
559d76eaefda5b9cece72a70f889b280800d5d3020856a26685de496b7f6af2e

SHA512
f08f29c54b68ed05ce6decfc54a87cf83becba4170bb5c3033dbdeb0cef0ba079b723f49794a2156cb693ee91eab305ab081235c7fd6817b5073bc4161948a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6d8d7cd4cddceaf4bd40e2cc3677896b

SHA1
e0dbdad3b4be29f924165e481413266ba84dc4cf

SHA256
536cb3e9f777f9cf7da55b1fb5ede3ef89128fca0061c810fda1acf3849fbb96

SHA512
84d040e9ea1bad02666c13dddc777d2fd2901dbc321ecb6728b8de4741284a214e379ed92b47c38f6be873b52cb4c0414bcb0d9a75221496f1adc8840b197c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
45d5193e193b7c24c2ba7b45b16a719c

SHA1
a2bcd0dac7fbedf453528834de17f608b0d2d46a

SHA256
f252c61e0c8ccabc05f262bf6690be409a7cd446fddeff2c01b833a6cd84b3b6

SHA512
8b437ebbb055cc7b88e4dfd046badfa9c684bbf63e75d4fa722ec2c4c910ab2b813cdac9d32f181801535103f4d766eccb98213c15e056691939f033b7ac9b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
11cc41056c6872947ca77ed26a148942

SHA1
d8f749836b772d6d8e5c2288079d7f7e4e6068d5

SHA256
50875a10a1c698d085f106fa03eb8e6370773d5448d09fa39e9755cad9bce87e

SHA512
84e8aaf435e67c41d83da9b0745352e378d6e1b8f31eadcae263efaf0b57188aa9ec33a6e2f24de44749bdef9f8f9886884bfa94491cb2291a87c9e3c5c01901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
be03ebbea239192af825db1db263f8e3

SHA1
96007546152e87dae3588964400c616bd4e6e6c7

SHA256
0a479b07e84ab53b723068729b9401dd49553f01d1f040c7c025f15652226b33

SHA512
9a16d36c9a6da0332653afb1e9b5f9898a3e1f71712cc60eaa66770fa5a27363223bf2ec3dbe68439ec9b40194dc6f2d48361c985d11a969582110fe8b124023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cf91444bf53bd60e0711d503bca8ca42

SHA1
6b2a8f9bfcb0faaa76048191385c2204ac7beb5a

SHA256
3d3332ab7fba8c403ff166dbe795c59e1e2569252a0e92d8473014a0f05f5e6d

SHA512
fb4faf6b75d7660bd4764d3695eab618a2ca771ff8eba0ad84d0eb3f4aa9a12a54444b9c41dadff7532f967875b13a385ec96a67ad19e9f7e5a9d5b847da5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df587b56548aec6ecc7915675082bcb0

SHA1
7a45b0b1d96dd54f5e9954355ecff08c0d049a23

SHA256
ba49961dd21a52d4c635e62296f7a6559d9526663449b8f60faaff999abfd0c6

SHA512
28daef3bbe73f828006df2d510f31e39cf8157fc0a5507d2be5c93fe23592dd68fa5f53aa7d22d39e9c6938b6a0694239722ed36cee3e36c323393ad38606e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c505b1894a5cd9fc1acb397d38ee4349

SHA1
33f05c6d980ec3649f3229d22b37204f76d2811c

SHA256
45e8c644bdcf9c6bc4803c0b45f7d22648fcf236751a36299af4c6a882fbce49

SHA512
7bd4d42134664ec2e58ca72f4de386fa6ccb3a2e98917d1ecf98c702d642950e1741bb4f34d5aef93b5d5963da4e15472207c0ca076ae59247fdd1bedb5b9a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f9708b4fef2c7d356d1999ce77fc6ed

SHA1
b58a17d5d933fb61ab38cbc4fc419e75f2af64f8

SHA256
d8bd05fd1228146df5aa6f7b5f9587a894bfd9fab2253c5235818a3019bead9e

SHA512
35dc12945caebc8558b609328233a0e62de2f6f1c9c44a0eb93f3575130f3a64c1b5a0557f027d55300779dc76489c8526d4e67888d5585858edf1a6d8ee2e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd20db156319b78f3e32fe103154eb42

SHA1
d2e98ce0f10323b0ca7f45373626accd6579e10f

SHA256
0b722b9d98729bfcadd9dc162b1dc95f3cbf9d717da1d6e7899c5dded95c2afd

SHA512
705441014e59f9be91ffefd53e84e7d2b871bd451193754af8a581ba9c067659a024b4bd345aa04f9cfefc557bddf898698b9a07506e991644f3f40e9d82c0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
deb995fa452647cc881f4d98277d4eda

SHA1
73c18277d735ed2fdef5be1c0402c622d46f08f7

SHA256
ab0c3ac03f9e736865196c655c571838f7f57ce877a78dd625d64cf5fd2492f1

SHA512
dc331f7a1386f1d3332cb7a40ebeea311b013078ccdcc15545576f936b133eb88cb1573d8d516e6c4b661e96e07b4e441a5af309ce8f6c26aba80f3731c0ed03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a23d50d11b6acb94b3f872c614cadb2a

SHA1
5bea3a577af4c4e6bab23bc30149e7ece03aeca1

SHA256
df6d670c87bdc17a0acec9fc68cb85348fba092cdf08c3d38e90ca00640ecee8

SHA512
f5f35f403c54059b72ffa6cf57b100d24d233be399c53030bdeac70be5f966db9dc4d1719c7794fa360f38e5dc4e88686be919073c03ff1cc99a30a430243908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54b226ae36c3c434a6b11f39014c1e2d

SHA1
7c09ffb25e65743b0fc7544499b6c34f69d1ac72

SHA256
45e2cc0bb4eb0114c1403318565a5d039972b03fa0c4777485de4a865e94b5be

SHA512
bf5c429f244dbe243feaab9aaf78ae6771438e6c47ce0446472cd551e43c596ad4ecd9ac7d94193f0cd4a17635b0670c972b7291bc99a35820a26fd62e4830b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ee57c951b0efd4c0776fc4c1b7c8f2c3

SHA1
ae37cc86e614b88110a8bb9f593903bcc4f208c7

SHA256
9f7e5c44283e633da96b689d757b2bad768af933b450fad5d539ed575bef4e2a

SHA512
be8a390b5a97ecbb5c75123c206d6e3920c6ccf84d140042b4d207d7bd7903a4d92f2b4d31323fb6067b80c781443412af9a5d6bad467a6c5d31393a27c1e38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
09efe97b076683add0d59dac8313c496

SHA1
9bf25c22bdf9aae8885a5e5a0b2287b4a7bf5972

SHA256
94634a3f9ccdb4e450da31bf5abfa81f18a170ee2c763d8d534263ebb0d752cc

SHA512
e944445f15dc4dd5694944e2a380ae6d3f0ee28b8bcf3e38b06a8d8fa80e304ed45ad9092e402182bcc0f041fe61a4064a4b6bdd9f141f022e87fa8887600bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7a44642ffc49a7dc285fcff4de02948b

SHA1
f33bc00a7f3ef19549aa329a17e04e1bde82ecee

SHA256
cdb3ac0d57bb9c6083b6f8b9a01a35207d036b4cc511040e81016e96bb9405fb

SHA512
0ccdb1cfea2b8782fe6d20a2657a70197096362e240e85fa94a9c4ec16e6278c56815c7ab3b8b5f4d8a9d9093438d8cd5fe91223f0ae31e5afcccaf09497de56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86f8f472dc4ae6141ae013c8fe413153

SHA1
73651c84ead0d5574e2199e0531d895b1175072d

SHA256
13cd8fa23fce190a65a3af618cb5f3407e12e9884989ecab4cf4636beb7caece

SHA512
346852c7b3d87eeded87ab178d82c3c074b44157edaf6ec4c347fcf6654f7602eadf789197eeab4aab6eb1c6eb09b6cb1227981d5d07c156860e7660de9ae5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c2cef063a46f14cb85c8565cf3ecffda

SHA1
dec6cbbebd5016cfff0713015d1df643f568338e

SHA256
d116d350d3a7d22d466e0ee05bb03821d40decb528482ae834a8aa46d07574a5

SHA512
8f1f130167d0839d22bbad68fac9dabcd20effcb1cc193ead74de3e4ad28a2032a7fdae28dacbb6806491063a68d59745f95042e801277a99325e60c4c1420ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
73f23fba16a926b832c95bd13915da74

SHA1
cd5823ef6d55e4ecab0a0f9583bf9af7c7844cad

SHA256
45c8fad3863da7abba9fdea84c4f6d6575dce74e93c81fa44f2f580e42d4d8ae

SHA512
361dbbfcac9196f56a8ffa6816ec737be1057a901584a963e0f93da338c4c0e8c45ffd8047033891366584b736dd3d8267916155c5ec543fb86785fdeaef0c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
62e15551101f9ecd4a0a96cf5d7e00e5

SHA1
a6473b4c8769f492ff3bc8a25e3847ef38012c91

SHA256
54a85335ced97024f01e93b1cbbf992174eed7abfe532d422767e11c43b45950

SHA512
60c433eb58403bf6d0094e89c2effb3f7177f32378c219d0ea2316c685ec9fcf41d3f618aff01c41d04c7c751a188c5be98dd04ce1305608d3db5b235d756a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
79ec30abc6cc8ac1409b96af33c41bc0

SHA1
194b2f3aa36706ee58001120d07e0305e80d807d

SHA256
37e291b343c22bb7c889ef4a4d02510eed7daee69cbef095dac5473909459752

SHA512
1f14b8451ea38956bbb45deb66930b842743738cbe65eae205472b94029f726fbf90d72f8159f53462cb90e646b948a4b45e1f75e8cfdd0edc230a11f04550ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
abc55e4a2081166695a8db166232dc89

SHA1
8c4a113536ebb421969e1f09a022cdf0c3f22474

SHA256
dcd405909e48083e80c926cae089655d9c0f3186c5c673983121d4ce95838295

SHA512
2d8964ee6b5a206f72db0a80f05f4c13607bb4359bc6b576d932a6ba158ef7ca4906a11dc8c727562b56a27332878c8ad7366f52e4f930a0aea98a289c37973b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1a2297c21829c8b9395d8e646cc0454f

SHA1
d67599e063457e3cc1fa05c901f8042f2df1acf5

SHA256
72f10130d8abb0eeb9ad1e55fa325f8ab0c774ea7e8a75f841a6b56f61adfe1e

SHA512
28d808424f40b808d31122288adf4914e816fea3868372e67d15fb2334bdcf1dabb6e2a67aecaed920b60f2a27db6e004e64f8394c1ae2a9542213c31f83a2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13354446392157391

Filesize
14KB

MD5
52fd3316e34d87ff02f741c7e64a86fd

SHA1
97877c953044420b99906ce44f875c47da453f10

SHA256
5fc66a810588fdf58cc89e61ed63972c935b9db37a8b85f349cffc080eb86fd5

SHA512
035b2e2afac2bba3d9c44b7503e0c4f85344c9288f268f45dfff3c31cd1e3b8d7790e934c238ec9bd5226537a91a5ff129901e9c781e4e1401f32390172a8337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
376B

MD5
db6d163f4c76353c992b94f529c5f0b6

SHA1
eed4c4cadecb4dd454ce17c5a58e7b14256de173

SHA256
a60f8c0841da787f2cee0b9c919effa84e54eee6f2a1818a7f8a792acfb127f2

SHA512
dc0a83f94e6a7c51bd1a74c56222305080c54726617a87bce9be09e658d1c373359c131c3e88d72eeac9b3312adfa8adebd8156b344fa5cc160baed68342e9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
fcdaf4f7767764e84f526fb7a544ae25

SHA1
3e301a703ddd2ab418cfd661e3fddd708fb3961f

SHA256
b4e0e8e4084ec90f8d5ccd46f9d1f94eda5e5756d074b1c433ab450a08164ffa

SHA512
42841be99ebe418cf6b792276f089b07894c09cccdfe0ba0a859aa7f2db21bba33b3b4b896e0c6f53bc4e4a67e66a8b0bba5bf04b308569f42000b2bf5f9dd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
1da869af061cdc70267768d7cc8a7a16

SHA1
4265d93d522bcc714d6028c94c2071b3a1580e6c

SHA256
7c908c0d29e0d8c1210f013c0a299a9b0da415dcf03d51c04f0ca42440614f32

SHA512
91305e7b2d6fc3507e5453a97731796d351b702c4d819d1a19efb24063dc761e814fee688d02e48b76369e9dc425f359baa013da7f4ad3172b241eaf153452ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
4474f53abf1565ccc364582c29fb6006

SHA1
d3d2b09b05844b6c18558ee90643d4bc673ba15b

SHA256
229a407da8bf6e17be338a6f4a3be9ce4175782552434320969fe9ac52c43fbc

SHA512
f82246a73ef0f2e22d835d0d0826dc17307bd83b0f6f0800e12b659685297523d3df5be57cdf63cd9e8f462f01133ae32f9a6a25e6e5031832aebaf0e0e5cbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6fc1dbb5ec9a2c3368ad93b2d18b0ea

SHA1
aa268cf5e1ab4be6ac8ab3349ad09148e3e7f484

SHA256
8a37364cfc47617dcbdf655c0307afa7456d222c2c0f1d2df0044fcf74780a1a

SHA512
852ca790a4b25190dd44f00050d0e916a29819ebdce3e28eb9aaf3015035cf4f288772eeb0ef21440ec19a5df2144fae9d74167638bf9b2dedc59496139bc218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
508a96839dd4aa307b87319e31247eec

SHA1
80aaf4f722564312d14a7948c89dcb59613543b0

SHA256
8d7f05e357fc797957bb811ef17c9a62498f09d472551e18332c943f99341302

SHA512
4a88db33923a7e0e5e028f092eb00e5f26c36ce93c67731cabf66e45d694d7adb776d78640b348bf369a9a7e91bbf34db753b424055d3f3d9246320d4cb92fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4db9329c36c09ed6b9b8bb1557335eb

SHA1
52a4aef1899c54ec93e4903fc4bade952507a9e4

SHA256
5069cf27d36fb1f3020f6c1007a3b72886ae0dd960afe5f55c7109601a74468f

SHA512
c0476d9825b78b2d241c59881a0f9d2c4078541d2e13d5e9c14718859760a37b827aabfdb5104e51bef3545e2013e1a5d78733c868944e0beb1391681bad2cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d030188fd45f1402949e500f9d94d07

SHA1
22abc907a22dd74a0894c6b1e2665ba8ec0cdcbb

SHA256
b255538ae6246f4be08360887b46683dd2c087285f8b79efbe04ff5b7a876d14

SHA512
11085b0e6ee17e52ebfe430d55fc16bb58b55afbdc66007225e54d81f18b44303b23d7ba78c72f8c59d16ac82b7cbb1e26d933c3d510732c758d7601607b5659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ee03369f6e92f5a18fd3a41739c6fc78

SHA1
5f1354d3a56ed5576080e166f11d1d798f45ab1c

SHA256
e4c2c9da54b9669924d8557653759132795fe4d293d45d255b88110a1feede10

SHA512
e2517c7a9b9aedfca584a52647867fae2b371c26bf587f3e30cd6527f76f76861b2f18e26bff0430539f2338af35a11b3dce7105f323079f3824c2d776ee64c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
22c2dcd14f4bc56e488cfa9b79121ebc

SHA1
01817c169aaad5be43f143323e88f976a93e6f65

SHA256
89a3dbcc8ad2944f6455a55e80e7f155aaae07dac972788465c35cc283a6eff1

SHA512
535e2ce010743e6b97ead3b92715989a2525d28f6fb9e10b9e0d72960410d150684c7dda072897fa5d44131dcb44274e61c5db4df2dff5f38dd7b5c231f8bb5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b82c9.TMP

Filesize
874B

MD5
3040659dd6a4facc10ffb4e5df4d5d42

SHA1
d62d99996cd6686450f17d5a8576aba63fa0573a

SHA256
e32e59df88d91026710858a2880ac11c895d18bd532934f196c4d9c8ea6dee8d

SHA512
49fe311190a0f64065353ba09b94065b1bd676a16305bca01dfcb9b725493e314900975d629bd38ee5b3d232158f1968911681e600de279bff34fd91cc532703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
02f651f71a1df04703e46622158f2b7b

SHA1
cffe62110ac54741996be5120bfa7347f1c7eedf

SHA256
47dda043328ab85cfce334060815024171d957728c72587311a154a5b1964733

SHA512
1e7c9a65e57f12faa6437b4e7a6a3da0f6f70fff2549dbc49752e2ba1ac5f08929a0dbaddfcce3a17569c39a07dcca5b360153c1a2098f60a4c219416450a12f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e51ed6e33cf46022e5149abbe1e10f58

SHA1
7a9c708b173bde9012014bb066fec2ead6b485e7

SHA256
7ceced3531222a39ed6090dceb0ce1a5b209efd8cfd73b57fbef603b2531d53e

SHA512
5cba4346b81f7818cf3e1981d6a500b72113278a13ebde1484dddb88377b150348243995debd3e1ea9f166423a00919967420c4ca467e895d0389fe7d68ba853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
145296e29aebb909ab29deb6ae5c036b

SHA1
8153996b4a05f93661340fe09ed8629dc1d12b61

SHA256
53cc831eeaa6f84a2a6447a5635df63edb056d7e1e971cef4c2e43754b9bc0e3

SHA512
6b2bb681e3cc2bbcb633fcfd3081099add9bac8413b830dd83f0718d1076e6f112d28032ab1f658f313ff15243d7f99b60063cb77bbf745b87eb72dc7d95a1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5e2fbdbfdcef5ac04ae68bd1963abb1e

SHA1
877e01d1f57fd6cfdd79c2a59328faa5a7b07226

SHA256
0d158863b2ed56f12527dfad798a53ce413add93028180ca1d1fb507a5c5f880

SHA512
92088ee2bf7f0b4d22a82e7d45af078c99bcc8a4d8ab4c18b721cae846b31597ed20212a8444ee5dada1f852e85e17f9ceeef706243f1a741ddc43b1b41b1210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3aeb2390d6acf6eb17f0c323e0f7bf08

SHA1
0ce4eac6b668894178e103ff347f1f738390aaf7

SHA256
add078ab363049968fb56f9c871e387886f22c044f0874df384d0d7b3fc16326

SHA512
ff14ce7d3aed8502d3398953ab6af44e9b2c939f9fdbbe6bc25bb7db71da5f410794adef718597ef3ee694c6229c3ba37a9adbfa245b4940965998552b6e3c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e28b136d9bd05adf8114caee0af82f50

SHA1
87913a1095575922d9b42ab7ea7f387ee8c15e73

SHA256
4f8536fa9b508689d969f8846e841f27261d57e9dc469c79e7f1ca156f0c60d3

SHA512
9f84f8a740d7417cbd82b3c1f7848d4c8c3395d1d54b46b882fc1fff1b3624ba77d43be488eaef4479acf531f41572cc0222e38b5b3964b9fdf670466aecc944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bb1ccc91602ce2fae08814fa6cd75867

SHA1
efa5a058661916dab6184c68d9f3f4007bd6cb8e

SHA256
c4c9e13c1bbcc73d749fd26ecc6f0d3fd7f9210eeb1a103b83587eb8c91270d0

SHA512
7d64cb9165c816b85b9accea07dd987136800edc75a44a184ed60dcb3532651dec194c5eaaa92100d3f154fe9adaed8cf3683dd29bfc82df011c809c3a7829fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
802a84b3e5390bab278ce90370140486

SHA1
5b9a895b6814bd44ed2374984c87d8e2bb190b8d

SHA256
7cbc03d3d4bf301ef95f16d63ddd914be3b1ceba8028cb4c5db05f41ab233f31

SHA512
f65f3db05e137f862bb6a264354f8938cd760978afeb2bb8d62880fe6f2f17e2b8b60d8c6c794ad2dafb6b5500ca737df15e2cacd88cf816caee269900bf4c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3786ca51649c91eafa5bea19a9af6eb7

SHA1
2132e82a8aebc562c3885313e4704e2f8ab61ba8

SHA256
bc7e5ac62f53f38dc76135442598604aed4dd9e8dd2f6ad23246f353e499c44c

SHA512
2270aa97fbd5816355fb75f65ad3192e3a47456084be49ec1bfc5fc48ebe8121ea9410f8becc9f6165b4a0bff79d14db32f8d00442af8e23684e5c39a9d263b7

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
3.5MB

MD5
56fd2eaf0168aa8f5a152d40a5c9d745

SHA1
c64931d48b1ba9eba5ea675ca185344a31740fb0

SHA256
c6b936793913cbc465cb96a98913667419128df3194d681ba61f1f5b22ab80c4

SHA512
a6a3bb702b3beddc34ad85a08d94d4d546302a32f8bce46210b22eedbdfd181388c19385fe647da30273c0657bd47bde0e80f0f34c20e1fdfe96f4b4c53e1236

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
2.5MB

MD5
2045cfeaab6e9f8349a93b8809e8d9f6

SHA1
a5c61ae28b66a9a90897c44ae3c567b586b69ca3

SHA256
ea50b57494a45c6698d14315fc529093ce303fdf38bcf57a5e74262e3c5ffecd

SHA512
c62e6ee21192ef0d170acdd5c18fc565054ce407223ddf1d08d74155b09c9dbb268dc5a7b3c0987d419dd441599c3ad71b702df62608b5f490a1ef724129f25e

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\EULA.txt

Filesize
1KB

MD5
73260f26eceb865bdcdd0c6dcb048734

SHA1
d6151f79bcc9cf4cdc1eaa856aee48ebeed5e6dd

SHA256
feeda441eef6bb3787db9dccfebf00f70ef30f5881ff2cb089f3e1dbc06d0c30

SHA512
2104cefa4087c91238a21b094f26bd48d188d6c40488b68c9656d47e1853a50533a4e5b2abda5b922572e01f60aee3b7d7e594c0f7e3491c3afe8f2fffbb5b4a

Download Submit
C:\Users\Admin\Downloads\EULA.txt:Zone.Identifier

Filesize
173B

MD5
a55b3d5cb5bca3ce5e8df2068278e8e1

SHA1
712e1e4b4cf7e085b3415ecedcf231c0fc845009

SHA256
7bdbbe0892b87166456586758ea379bcf6b8e02805ff767b2d48541d7a39f27f

SHA512
fa0c42a80930e8538126b74a776229bf833c5a55433d063e8833d6d55d3a705438417b51ca6058cf922cdce25c16b6435d4f5f063ddffa2db2d0f9a723bea105

Download Submit
C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier

Filesize
651B

MD5
1daefc1c4d23b4ac269c6a57a35c128d

SHA1
5c8d699b7ba5c2c2d468e606331763a122a0fc4a

SHA256
ce8d290688c846d39ba791b3f8155faabaed84d1e3c9f5e45e254401708fa865

SHA512
3cae8ca775a463e285cb9e70ac0304bc530637b5a96ff7e50571f4f357a222bbddf69c50efa978836cce1fd71e11dc79fc85c4f4eb84f1cc4cb0c98998c5b58a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 499919.crdownload

Filesize
3.3MB

MD5
3d578d30f8947a0e4ca0b6e340c6f9d7

SHA1
d581d6caec9ebe4aef2e0d365c8163116d18383d

SHA256
6d8e3047582dfcece9e3284538ff46a16e1809de18b1a7543e2082ad0a009237

SHA512
ccca55db5214f271d94a6d24596f74ae08e0d5ab053b9fedce6670d817ca0cf9065a5db76216362045e0133e6644139e73c72129c165c337898594c5d385da37

Download Submit
C:\Users\Admin\Downloads\WannaCry.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\d731aa97-a4d0-4f75-ac73-2a12fe6b7de5.tmp

Filesize
9KB

MD5
f7349874043c175bee2d0ff66438cbf0

SHA1
da371495289e25e92ad5d73dff6f29beea422427

SHA256
f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b

SHA512
878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_1604_LQBDDTWDDIPAQFQA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1964-1341-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2008-632-0x00007FF776040000-0x00007FF77604C000-memory.dmp

Filesize
48KB

Download
memory/2008-635-0x00007FF776040000-0x00007FF77604C000-memory.dmp

Filesize
48KB

Download
memory/3692-2729-0x0000000073930000-0x00000000739B2000-memory.dmp

Filesize
520KB

Download
memory/3692-2739-0x0000000073BE0000-0x0000000073BFC000-memory.dmp

Filesize
112KB

Download
memory/3692-2727-0x00000000739C0000-0x0000000073BDC000-memory.dmp

Filesize
2.1MB

Download
memory/3692-2726-0x0000000073C00000-0x0000000073C82000-memory.dmp

Filesize
520KB

Download
memory/3692-2814-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/3692-2730-0x0000000073900000-0x0000000073922000-memory.dmp

Filesize
136KB

Download
memory/3692-2728-0x0000000073930000-0x00000000739B2000-memory.dmp

Filesize
520KB

Download
memory/3692-2732-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/3692-2731-0x0000000073900000-0x0000000073922000-memory.dmp

Filesize
136KB

Download
memory/3692-2737-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/3692-2738-0x0000000073C00000-0x0000000073C82000-memory.dmp

Filesize
520KB

Download
memory/3692-2809-0x00000000739C0000-0x0000000073BDC000-memory.dmp

Filesize
2.1MB

Download
memory/3692-2740-0x00000000739C0000-0x0000000073BDC000-memory.dmp

Filesize
2.1MB

Download
memory/3692-2741-0x0000000073930000-0x00000000739B2000-memory.dmp

Filesize
520KB

Download
memory/3692-2743-0x0000000073880000-0x00000000738F7000-memory.dmp

Filesize
476KB

Download
memory/3692-2744-0x00000000739C0000-0x0000000073BDC000-memory.dmp

Filesize
2.1MB

Download
memory/3692-2745-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/3692-2753-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/3692-2761-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/3692-2764-0x00000000739C0000-0x0000000073BDC000-memory.dmp

Filesize
2.1MB

Download
memory/3692-2806-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/5108-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download