wannacry | hxxp://wannacry

Analysis

max time kernel
247s
max time network
252s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09-08-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wannacry

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD34B0.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD34A9.tmp	WannaCry.EXE

Executes dropped EXE 13 IoCs

pid	Process
6028	WannaCry.EXE
5668	taskdl.exe
3408	@[email protected]
5496	@[email protected]
5864	taskhsvc.exe
5640	taskdl.exe
1980	taskse.exe
1108	@[email protected]
6128	WannaCry.EXE
4720	WannaCry.EXE
5988	taskdl.exe
4636	taskse.exe
4456	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
768	icacls.exe
2980	icacls.exe
2468	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xinooffmkqlv074 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	camo.githubusercontent.com
80	camo.githubusercontent.com
101	raw.githubusercontent.com
10	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133677202505976212"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{68FB998E-C72F-4F8D-B125-423017381D4E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3948	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1028	chrome.exe
1028	chrome.exe
2384	msedge.exe
2384	msedge.exe
2480	msedge.exe
2480	msedge.exe
2684	identity_helper.exe
2684	identity_helper.exe
1744	msedge.exe
1744	msedge.exe
5716	msedge.exe
5716	msedge.exe
5868	chrome.exe
5868	chrome.exe
5868	chrome.exe
5868	chrome.exe
200	msedge.exe
200	msedge.exe
3752	msedge.exe
3752	msedge.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5864	taskhsvc.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe
Token: SeShutdownPrivilege	1028	chrome.exe
Token: SeCreatePagefilePrivilege	1028	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
1028	chrome.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3408	@[email protected]
5496	@[email protected]
3408	@[email protected]
5496	@[email protected]
1816	MiniSearchHost.exe
1108	@[email protected]
1108	@[email protected]
4456	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1440	1028	chrome.exe	81
PID 1028 wrote to memory of 1440	1028	chrome.exe	81
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 2852	1028	chrome.exe	83
PID 1028 wrote to memory of 480	1028	chrome.exe	84
PID 1028 wrote to memory of 480	1028	chrome.exe	84
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85
PID 1028 wrote to memory of 3820	1028	chrome.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5520	attrib.exe
5276	attrib.exe
5164	attrib.exe
3576	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wannacry
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff8d643cc40,0x7ff8d643cc4c,0x7ff8d643cc58
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2984,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3016 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2988,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4228,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3004,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4508,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4900,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5036,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4744,i,8993622006405532080,8907011884894804755,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5868

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e71c3cb8,0x7ff8e71c3cc8,0x7ff8e71c3cd8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7228 /prefetch:8
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,17167651348635151304,11217163203937281348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e71c3cb8,0x7ff8e71c3cc8,0x7ff8e71c3cd8
  2⤵
  PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5864

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:6028
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5520
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 132881723246815.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4200
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5276
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3408
- - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6008
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5552
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5640
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1980
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xinooffmkqlv074" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xinooffmkqlv074" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3948
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5988
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4636
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6128
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5164
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:768

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4720
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3576
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
9d98276b4d394b7b5cb4286d4955643c

SHA1
3340f3de7fa0b6f6172fb60faf7dc31981014084

SHA256
531ef87ed8cec95ac6623134ed76e7e5aa0c693ca28df86fd2f5a31b97115e15

SHA512
5fc352fe2cc33aa1b3b582843708c31643b6f0fb17c9563c2406d7b08acc6febc350f95e513cf93672d996e2326a936679225fe874f839ae4b0961340d7bc39a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5b304036026089990addc29f960d94d4

SHA1
20b198056149add9ef4a078f74be11412c2a05fb

SHA256
b1c68d23a44a668c44a462b518d730e72b0098230ad1af43c5a65b5845f7cfc1

SHA512
cb268e9a4729c338d83bee7a9eac5caa25b4da7c9dfceea33578411e8c8da7868656710c05e08a35c1ef87dc8aab0159d92ec431d7778e6b2a195a3af4cb00ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
59c3155f03e099290ff6f4406cecd724

SHA1
4df8f8a0ab6dc75b8b60da33e34691f66e70d72b

SHA256
10ad411a62d1e7afc658c2c26745d1970818efbc722e2d3c48793a3e44192401

SHA512
d90b2d520ca5460783acd0883be33504907ecba2186b23bb4567daaa65a70cc9fa4dc671e747bd9bfcd936f4b35187c3011d7257c93c7449e049203f2ddefe83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0dae05e51b075531dfdbe49bee964378

SHA1
6dc948d31d13181c53cc33cff89f38d270fe5584

SHA256
0b8587462bd2b0ba02f5d8d29d4c3fc78ff88bcacceb62bf8af3efc218c18f25

SHA512
93ff14d680ed8f7b3097cf5639318629ac542ed869db0f89413610ccf208cb410ac63534840b390307a1051a21ec044422abb838721dfbaa37c7c7e188e13ca4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5b9422a1cfe45005dff2827317ba2e4c

SHA1
92dd14032ccd2dfd8f5242c063fa4d32f782c828

SHA256
5c72739abb49d5973610e6507d7efe133568e58e07252daef7ea3f033e1bbff8

SHA512
3b99c9efdf88802780d0f758f80aa4ed7ee10d3f12aa9221757196c4f4cc04a4190537929bf52a79b704c49cdccda40be72bf5bfe3b23871e5edb5a24d9f71ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b3d7e7c530ba1720d5d873892d632ece

SHA1
2da31f5770f380d248eb4db0a504cdb2c95ed3ab

SHA256
04b3778c64ad462bd078d07404f17442061371097213b0ed8675f5f764559095

SHA512
21f43d41b1ecff809a7cb3feaf6462cff683a25a5bbd2af20b8b9f05128f3451a8c8a23ca457ca274edb1ebdbfdf8617b44f15aba2a63873252942de25cf51c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0ba16a97b1cf9d76a3e2d45d3792f13

SHA1
28d48f3f3cda1b217094275e8be8c08b4dd8624f

SHA256
d9648636a587279729bce43f5ea6673907802f600c53e31ca6bb648f02e1db4d

SHA512
4542fb2a399e2df103ef56ed932db779e7be4cda07937171cdf9d9fa6b79d62ae1089620f8e67a2c15113f83b911fdc5c13785c4a3162729f1fca780183363fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
826c63264dd0a293c1281a4e630c5576

SHA1
584261a17bf9d5d94a4842734d0eb89470d0bda3

SHA256
f3df025feb672533a9f4a8fb280a34b18a28f67295cc3f0df5bb78531199cd0c

SHA512
dcb1dd05312f15252089516e71e974c4265ea4ae8eee2ec9654833fafca95a05bd62724f3eb4b1f1dae995fcdcd1ec579125500a0c105f22aceee05f4568fa4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f95911b78d2ff98c8ddeaf0ff44926c

SHA1
df59ceabc4c058e4d598a245473b0461eff5a5c5

SHA256
3dfc5ae64ee800d1e23ac46ea71da71246465152f3bedfb5a3c771e48ded87a6

SHA512
c76fc473a1c70c09042e007b8348bfcc1a833287b91d158f13a80fcec11d31be767063305ad302f68473ecedece5b1795bccdc609b104b37c8dd4cfd2da626a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86357b46a9502100aef3eabc4cf3b7a1

SHA1
6160dfb6a6a1a2cb65fa89f5a89621630093c8ec

SHA256
292cd8a10633aa8422043f61b8e539d84d480112c29b6e2aa29c3f21ef4c50b3

SHA512
ad1365f5932c44d0239e5132d734c47c9f1ba89b23ae2a499f98fd87c5cfd19ba15581246268304ca7c748363186417a618bda09645dca8775aa08043539eeb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06036e247ae60d1b2413a5481d9c3622

SHA1
ba2076933a6df0570eb90a85e0cec674bf90b041

SHA256
735ada3e7a643a1da01b1117309b07c63e7337ddad92ba0ca9b6981b20616622

SHA512
d226e160975bf966931eb19582726c9a241de2152a867af92b298f554650b54a12aa0c344b7352182f438ff9de2f795f548ea85be1d51fcf5970a57f5788fc3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12c7094086cf166ecc4ed786292d7b4a

SHA1
5425ebeee22973f4bd5922edf1cc325280bb1fb8

SHA256
ac0131d1d652d2edb61e90e47650150a398ad039a41fe8c49f3a76e8bc19c7aa

SHA512
3374785f8ef95351837b3cdd12e9caec1232693f6c255a4d3e8a8dcb0a69beb99f854f149c1f3bbc40dae56555939abc0c6f4752ca9e5eee7682b39b62d1686c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5fb9e375c4037bacaaad3c50cd413c24

SHA1
3d8dfe99954ddfe8769ebfeca5b3e35899728b64

SHA256
bd249f9d6b8126fbda968e8f9bf7fdf19b0948c7ad35d7127a1ebde62547d1f8

SHA512
d53b1a44a747c92175be27dd5b7b69a25af6576b6e43a189f22a535999d7b7f23ccd91670c6256afa4eb75ccea0c9ad9ce95f85f4c5456c1c45dc40a1fb460eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5e5e5cc8dcdf16a1d8dd3ac307ead3e

SHA1
bf58c3e2355eaf7407dd6cb118389cc965560906

SHA256
d440a513aa208432057a270c33847eeecb1c486ea448e92e3d1252ee3bae8805

SHA512
58d2396ca4929aa3bd446ddd3f250b1cbc291ea5b0fa376672ca04c4bd51e5f0a6923f59ce4423b199f8f348886537e9fa125844a70c9f78218bee32922d103f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8cf98697e64c779a22ea3b0f2929bbb8

SHA1
4b9efb14c88425d80f766769822feefbbf33fcdc

SHA256
9425ff4d4f569048f05c1c1885c1980c643f7155b2b8363bd6d5207bb0463598

SHA512
940c664b612fc59f71931305305581ac5da5bf9a97c90feffc7ec626ac38b97f7449fa1c3248d3e624cad4a66c589ad7b107ddbae98ede7466e7de0aa01be9f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41487a4fae5d8c89d7c01777f4c94efd

SHA1
b377c2f3070b241e5af16f3383db43350694ec8b

SHA256
2d051ad2ad871b15990992a1319d0827db280d75c5c280c628a06a5b61b7b893

SHA512
4f8b5ace385ce7eabcc840e20c9a721c83720f860e824067a1c532fda0f02d97439a6f1669571dfa8c7b680e151fba876063190acde4aae9859c9cb0c53eea4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2bcb8c2a9d30527231c17cdf91de1211

SHA1
a95a5b4f5211fa35f2350406be20f81d4e9fdf51

SHA256
1775aa1120533d9ce18878328d744671e1f47cd996bfbcbcfc41904e3493fde7

SHA512
0588c160298c81b7309781aaa2a622ee00de40fbd4688475e3d24c53da550f05730623e01dd5c3d910a8a939eb29e9e9c3bd60c9fe2af2a92e10c341d96ec66e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f445615e1e3d78b72434285083afc6eb

SHA1
20a1f882e56f7e58fee66e0381ad07c3673b0f19

SHA256
92f5c16069501855cb66431871c5bfde23f48986ee5291bcbcf26d37af9c3b8d

SHA512
c3aa4f98d206ed69d8c383e50956186156c7db3d04b3af6a0b4a291c77f9523185e9646882955b25c29db8247b7efaedd2fe2701277c7e35c406434f925a793f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68e0680d801309a060a0a544bb3b91aa

SHA1
708be3cec81fa5bb97fca4668aa97031aedf6bf5

SHA256
329fcbfdb34ce88ceae8c1989d08a48640e9e0330fd94473f95e2cf9556d97d6

SHA512
7d18f5dec83b26a46834b7aaacb510e81d45be8f75ff7439d61eaba6db8fa6403cf7064671e640c0a7de21add70553f40ec65c851f57dcae03bb0f62271ad24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a7fcfb61-46bd-4968-b282-07789ff6893b.tmp

Filesize
649B

MD5
63f146ecc9532f3f9fef1107c45b980b

SHA1
111fd49bc79da8d9fa36d62c1d38e888c6abb48b

SHA256
601dc63fa4a94873fd7368d4d7a74b17d9a2d80e872036b2f07e9aeaaea6d745

SHA512
cf30cde2e1bbdfbe9c0af589e82efc492a58618d63a17facb5c57e721e123f95dc7d726735733df337959bcaa99b84822158eae9a242505ee14fb8325fdda1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
9b501d4b49a0024f72a474c9af24f756

SHA1
ad004c8e80caa9a6325d5e4460dabdec817cdc35

SHA256
4baba2b254b10df78b03978ede17ca4c0906b60405f7853f819645e162fe0405

SHA512
b3ec64b4d305b97be8f10e6e8d2a037b24dd24b55b5004d544c8a0215d0267c21309914c60e84e5d4b15fdce01d0240c95c614d2b21ea123cd21fee4e5f66648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c0d63a60d5f47fa76ebb0d0a5a0ecc9e

SHA1
62d2b9c46db62971111dde6fd0b6e653f9f4213d

SHA256
e58a4965d37c63157ca98837deab6560cd045825470425c1937d9f8d1c687743

SHA512
99cb0d4c839c6660d13ad942f5d988d7560f77b75707440b5ca8e8aac316e47f4006c148a9bbbcab1a502cd5ba514a4c89060a11cc4d499a86a81edd7db1a487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
f9be5a1d8a46dc775c8a07b01143a928

SHA1
2b457ed3ab8585d2defac5adbee7f568ab48810b

SHA256
d959aa2e3650b1cbdac2e7c15454d43e0d8b78825122ae61f485586863be261c

SHA512
09025b925e7bb040430d7b2d50980b036ee3b2a449def8837c01e2c85c81fd9e1b0a523288c3aeec3addb240dea5cab0a92d71084ad51b22854bbebd4353f677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
efe8a7ca14cd9b7a9b15505c2b20abae

SHA1
6b5f62d3eab7c1b80aa9b1ddf976c7aa429d5da7

SHA256
49d22223e212362df1f6f0b2b054d42028bb6e9f0752447ab1cd3afe8ba0fae8

SHA512
5cbd27de0aa5512245dade9887e906de4020d53fe5682cd425d5826a0bb075d8977a573fbd57b13506ee0fb2b94efdefde9b0e1a1d3b0568945ed6eb0d848c17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
00d4cc262b70dd3d386111ff78fb0812

SHA1
628d4dcee1e82d04ab3969c29e256cef10101407

SHA256
956916ddd6bb5ebde0f5df3605a524d1624ea335cdc6bd5bf26681d3a5ac5239

SHA512
12f3cf77c4ee58eb00b08ced394d35e35237da4bc9ca62b1408c6dca4350068aa94d3a0e98132aa0e6cbcbdb7dee9c2b9c5399ba7c4780442200ad37a4c2b1a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
3f06d90f781a40e2014b2b3a97c48b41

SHA1
660682729eda776fef2b49c1e4be9860a032bed2

SHA256
c051c48247b58ba107b7ded31e6a3913c8e0c890e547047080132f4ad81545e2

SHA512
ebaca5aa11d984601460b0def00e974411397a00efa251b221145eab261a8180c8e35347693e1ec3a1528b8dc206259593f21fc1618fa79840f588286c7e6224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8a9e09e0ca634e6c1a927523267e0290

SHA1
0597736100b0d3502090063a2c9d88c87befd804

SHA256
c1a50545f5e7b0c410b6d81401af64128f7f523819462a9f3351c01ada935754

SHA512
12ff3d79397be51b35c6956cd3af5b53f85fbede4305eaabe3adfc8df27ae1966ab949b7bdd1f9fa03ac277c7be3f7de36786f5dc9b5c0800e91be588b0bd816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
72f25717001cea231bbb573f7fb6aeec

SHA1
5cc921564a25b53d62d94031579b68460a440136

SHA256
5a2fe589fb01c683639c3f033c380d039235ae8867855c58aec74728e0e80998

SHA512
ae812f8c56b5dc275e0b8b965876fbf99c02aedf50b9f84988fab07c4faebcf75b164bce72695b913c036e4392e5af51641e7d40585f6e11acd9bd04c453bf13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
260a280b698de5ffe90be5bef2609da5

SHA1
ffb74049368ef1f4a568e82e3eda7f7a7fdeb393

SHA256
af951a065c2d0f7cd18eff9c83ef11ee27c3764589c9bc922e4c5a723be7525a

SHA512
e1ec5ea15145a9747111c2e68291fdbca2d4a22fcbe71a6cfcd1e35c970758bf41583c4181971d7dedb43891c0835c5af2e40a29eae7065f9f5f519f7d99e722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fc4da6b578eea319e04b42c56522a28

SHA1
1782daa064faed492e8ef6dfab941a80d47cc9bc

SHA256
7fb9d865ef4a352fc7a4ff5af7315a403739feafbadbd6523f54e64544572b3e

SHA512
107add37d7adcf9024c3290f0d5a58852f4534e12e2d132e8a1d4acb7da735f47b52e62c917c977ecbad1b4bfe73f55f42f5e268d90ca946fd769395ace2bab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6e4c55e61870a8ed2845841ea604d09

SHA1
09eccf9056378e9c88d93dcb4b4fa8871932922a

SHA256
b22c20facf8406ecbc48333c04e76686e6239b8e8c0b1ee30124b2e0ff9a826e

SHA512
9c957f3fcf23b8e12dce1adcb04b1b1f97d8fb13f9b7b96e739ef19ec45779a0c0cf22ef406a2e63a65f7b99a456bbfc08cffea62f7a5e19d748e8d2d42672bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4b43223d9216278654986c69da5552e9

SHA1
b651cf80fd7f208e31997e212da5aa0f85e0b18a

SHA256
2637ae40c8cb415baa950e6c276531c90c2610d48af91aace855a75c5005d7cd

SHA512
5c7c3f1171b2d604d000fc05e525ee9fb599ec3dddca1703489cff9933016fcd5630d1260bdd6544e97f904cb785f07b7309407379b6b4c2051961736bbc5b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6102b4ef33e9c8b851a22cedc943faa

SHA1
5a3b0ec0b1378abd4a99d1fe415a4ff81963fedd

SHA256
62b201678e917d1be7946c9585b46a9f029eac2fa7bb4d9d37e5af6bbec83ba6

SHA512
b01ce743f6851fd8fe47a792ecfe4c52adccf3f7c755c80996436e373dccf177e3295b7257df9f705bc707253cc66404612221f93424b1b9bfc7c3b092de83d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
827d0487bf690208c8ab462a400fedc7

SHA1
e7558a6ed1bc66f58338e3b9a34932f939a5c19b

SHA256
be4e4b13b683747d097e202ed840d3ef9cd22bad7a7e2d776118dbe2626a2688

SHA512
25ebca61bfa4df02fd0a9be11b678c9ab3971570200fe2514dadacfb1a3b400b11a86ecccd3a99b33d327a89e8f34ad30755bfe299365ff32502d6f7071c5b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d8abfdadbd1c42f481077345b37f1072

SHA1
422d2096cceb9df107720a84b015d421f9975df7

SHA256
58262b0d5b8a84b3c7090d707cc96132275f6ab63b49ca8c8b5a12a617f08a94

SHA512
8cbca11bddf62a2977221f45e8bf4612b18e8295704ab8650e780f71e898b1b7ecaf2747fd877ef3ddc8a89c0e7a25476310c6527555d487d0a3a72a1f7bb268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\df13f278-23c4-4bef-8b5b-b071a5e74b11\index-dir\the-real-index

Filesize
72B

MD5
bca9451a16594c3b2208865c1f24c123

SHA1
19643008fe52d30584c11bebbe420c6cc13f2451

SHA256
dcbf4d45926365446edd5ccdd1c2bbca34df9c50c66b8e9d311dd990d69e33ab

SHA512
45caa892502e52e833c8d0faed04050967c44a4d4540da806d17c5a8daa01dfa43da2266d190907066bf2706a322fe4934c5a219cccdcb426c1bdd0809253ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\df13f278-23c4-4bef-8b5b-b071a5e74b11\index-dir\the-real-index~RFe5935bc.TMP

Filesize
48B

MD5
61498c6e1fa0731c0402f20f64d306ae

SHA1
db81d7b9367a3e2a8c62cd62c9c39f1a0e40be8b

SHA256
6f381832f51001c8f658f0c7f650dc9991722dbc2ea5885a311e54630bde313a

SHA512
4365b2f62e0d51a673cacd2344455257704c6f6bc23919630c5dc50133fffada0ae5896d2cd6e4204a3b08ae18e10835c2459662221b2e6446e8713a084e7eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\fdb11d0c-31be-41ef-a3a9-317b1621ba0c\index-dir\the-real-index

Filesize
2KB

MD5
25b84ae231bb2f4f8d1265406e24416d

SHA1
bd2b2e050b7e73bb0120c7e8880989139493c8d1

SHA256
a71cc356c5f9f4cc27ad94b1c10fdc7428cd1dd7ca521d3b49b53e5149bfc56d

SHA512
68030e8e07e376961356c657ea74452823acd0f17c70ada48e81c78e7672ff4f15eab2ede1f98d26fbb0535dd1a193a671d2618c932e84f4a10f0e3ef1ec0757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\fdb11d0c-31be-41ef-a3a9-317b1621ba0c\index-dir\the-real-index~RFe594116.TMP

Filesize
48B

MD5
8711fcc54ff7b3a2d2eada3ecddeb171

SHA1
63633b41f58a7d40d399543dbc2c1ea149125b70

SHA256
a3dbb82382378b5f9d1aec6fabec8ae94d099b487d82d0ae7ae1108c50574fb3

SHA512
fb1d7b58ec5bc16868e1a4e472d68e85d141570ef12f389175e962a57a1288f6dbdde3c9758d42caac8194c20080ebf8cfc21985e91d19a4dcd51a6ae93dfdd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
f725f1a927fb3da8ad44d06af9009e97

SHA1
f604a6dc53a5390909de506f0c3fca285b740f2c

SHA256
d9d2c7a088db043bac73db84f5b686ebc19f5652c229e56a42b26fab6a5162d4

SHA512
aecfab8396cc1c2113dcead85766a7ba65ff37c17dc675f00d17ec83bafe777abdac5d74e601e3bea899b787c1bd2fc8568fbdaf1b726a9670165989d7404042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
204B

MD5
2e95d8a141f017e03ae4c6738210ad03

SHA1
7352e0e2fd396225f7bb80b7b72d505659869ca3

SHA256
d6a872960c9be3096fcbd2aacb108e71b2fdf41c53cbd1027ca69cf5ddfa8bad

SHA512
3eff3889faaf10f2112b4b121eb1aff09510932b3b00fdebee5b7b2956c5e51c04940c6a159b5331653623b85fa1552353ce99bc68a75880feec40b98f4286be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
04e6a38a554dd3e32ba701563a4f1b99

SHA1
7f2719bc4251ec64512be7579890e72774ece83f

SHA256
d517f48e355d82f295c163fba58001fd9e91c1f7d97b2d15fd83d20a79d75cea

SHA512
1ef543ce243e87ef83769851d9777ed49d7a6caab1700da3536a7045c28e81ac06558f3feb680fb7bc33e8f0c021d41ee378eaae61f7eadf1106db0d744f2217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
25b6a25fed2454d1f8a0ab504acfd710

SHA1
12d226a53bf8aa9ad2f16d38dd72a58ed6b6027d

SHA256
bd13e2108e9db0c63db7dfb894c15a3faac98b9790cbe97dd4b2db9de3c4e690

SHA512
3500a3530d723266dddea9a79fb7e155907e746929c8833e2aa0b07f519f29d6588d09e5431d3f8456b024c71171d9daa117f20935566396bad2f937baf384fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59357d.TMP

Filesize
48B

MD5
73d0d41d09395da0f026c1ebc6c34fe3

SHA1
d5fe0d5b95a70afabdd0acddbc3b1ea2208ebb20

SHA256
69c013a2a65f85cd3582c2d2d9a4dfda0e0a5d9a20409d0b224b748f12e425bf

SHA512
61ae014ed87465148b5c147a69694fe74fac5cee37044802a16c8668fa22cb3c05e2518d327886fa87087b7fce99b224c694ca34bffdc632d4129c8bc3238dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
12e92303b80efa08b70bd6f15cffafaf

SHA1
619567b3796637944bcd11867d47134edd6df724

SHA256
f4b88f6f69f129be757ebf8c3c3ace2dc362213fdb860ef11c2eacaba911b82c

SHA512
45f12cdde37d150f9bc456c7bd0d8d974146eda3b0ad8d7a63d718cb6784d7673ed7ef754aa534baaf7e1d761d0d7e71cb99b4f41ac2c9285e76b4e0854b8c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c53bd71d0c110f742cd9f3b1d4b8facb

SHA1
41da9870be765f728d44d7d7bdd70c468bb56656

SHA256
592d64b70d7dc1540a5cea3fb4e3ef3860e44cff45dbbaef4c3110429dc87a30

SHA512
7411d345ec97cb1fa391b22b9e327bd27760934878e1c285578bf4f7d9d39c7851de0f91bafceee506e3a8bb3a658bf2ade327a64491b23bf44ae064a3050ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2daf844962b84de986d3c54bb133e3ee

SHA1
e78be75f243c32dc7d88d256fde3dffc67b9aa5a

SHA256
9ee77288cfd502a39d8aaa41f22c08cd22906f8ce126946c5fab9fd807b3c93d

SHA512
efd493248086369f352cef9fa068155c1d5256d72a8fe82503da1e3a28254d39c18049eddf7c4245ff891f048975ce1409eb9f2c8f235eb60a6ac2366ef52a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6fdb72d78fe4ad629a2883931aa84bb5

SHA1
ad04119d4413ac641de28e4d5cb159dd84ef1be2

SHA256
60aaa62861abb48d65853488247d1af16fb1b542d49e68b1dbdf52ddeffc97d3

SHA512
970ebe572c29f03a65305676d7de30e3438a2ae78ae6aaef5d451b6f8108a31bfe398b3a972c0bca6b49bbc48f4bbc8b34008159f60b3256bd111deecb017fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e18585b5cab7acc4dca433fc578d1814

SHA1
6206202ed8f75752e5023501120cda62ecb65a23

SHA256
b68409010418afe9d7af5ebdb9977c951792b0e260cb9dac519822f71b14ace0

SHA512
ce4e8453eb2e6e31a5d313d4fe83becd2180a9d9bb11a0b9c9d195d522a08a8a45d6a4217790b4e88ecb2c332531b4e9b05fc89bf30eae3d313c51f28497f255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d8482576c90185c0fe4f2feb2feb364a

SHA1
91ded035fe94fe4f19a02d08aec1a7c3eff96549

SHA256
b4e56ef93eb396448e3af823c9078a0c64eef8f59023b58ab8c257e93cf7b634

SHA512
99b3b1d524cf839e3db268ee20ff195e294cd6bfdaa1991b692feb9550e61ab9a7b0b943e4f058fceaa3c0cefe987300937ab0f11f324d503b28103b0bed3d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
711137d21489e2b39d3b695e393a5440

SHA1
ced13c97b8cfa4f529a6aea4bc6d5852c6a5aefe

SHA256
80648bb52983fe002d9702f0741f281cbf18ee09b7eecc440d49323451c182d2

SHA512
3ee62f33f050f80fdbfe9a71b0aea0566d5ca0b2ff565233b04fa0a0c6971bc83e1340310cf154cc305e52e940edee33103fa35f14977821319654fcb5e69fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5923ca.TMP

Filesize
1KB

MD5
88f9b54be45a530a8aa12b441c86f5a0

SHA1
ecf4b14d3623e354a0e34c3d4aa64786e2259c25

SHA256
eb688dcda576d53cce646d7e18f90d864f8b619bcb296ddeb4123a5bb56e16db

SHA512
04ed02684325c97b49bf3aa19097459b8f31f523cc60c469b927dbe7c7ffe588d6f90ec8d5145209e90b3fba921e620ecb8681a2bea5e8c0e204459af4a032e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d742c0c285575be8a0c1117ca34a5f0

SHA1
b509ede6241f37f2db42c84f6df90feb980ef95e

SHA256
59d47f164f38831541de287dc39f6c8664b1650fd337ca821be19ae7c0f278a9

SHA512
4767d8720df4a745bb170c23226c4a59b74efb050243e46771dac586dafb3e5c4d58de0f3c2a5b8ea36072e47d1cd52b329b7987325da4690dedfc873dcdcfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
810345598f001053f592771a7b98e8ac

SHA1
fa9e0154667259ba10cd93e4f5616da1849bad18

SHA256
007c6fac74d08efad5cf10f470d2f7419d7fe06aeaf9ce754d76f918ec1b6421

SHA512
1e7db05ee502e8ec4ec1011c4a99f39a54bf5c7843b57a6cd223c61ceb6a5931e25205a50b9bb21ee9b8a58456b28de34b3b95a82060b7853885c18912ce10f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6cdd1856eb74516a90c77453698cb519

SHA1
01b0d6999fb3d984aa788f5430289aa7eda25646

SHA256
1a7f1c580f2fa5d055b8a3561724148cfe0f5165bcc533b4ab30e97b4ce18b56

SHA512
7644a09e265f7306eae1cf6df9909a7767d64b454ff6958633ef30b192ff76445a2d8781f708a17a46ab94c72467500a0cafa6d4054a509fd20822913d2c8229

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a73ea6e1db27acedbe4055c448f82ef7

SHA1
01769a266d26c4b4b374099606e86b8874ddd55f

SHA256
c3059c62596021e555ec7901361fcde75078ad931bcac6027539930bef8b77d9

SHA512
f9cfe99077e40ac3ff11ab39020d6e159ec06cf50f9b1d156858198d48851d29de8882a18609a17dd30ddea421c6c415683b8d7b14fa30a51ddd1cd76032deb4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.2MB

MD5
deedda7493bdb0f1ac25fb5b8c7a4756

SHA1
7f67d355e8631a05f844788850cd299d914f7fe1

SHA256
1e1a96ae7bef93e369510efcf2f02ec4cd8e9fbe6a7236c42ea2cc04b373158f

SHA512
fb972777ba672603d991eae0ae23c8959fdba5530d1d461d01f9202b1236df081a8739535af0eb3cf15608e5d48a3a76a36ba8d942222149f5de481910f8a649

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
memory/5864-3071-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/5864-3070-0x0000000073700000-0x0000000073782000-memory.dmp

Filesize
520KB

Download
memory/5864-3227-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/5864-3226-0x00000000735A0000-0x00000000735C2000-memory.dmp

Filesize
136KB

Download
memory/5864-3225-0x00000000735D0000-0x0000000073647000-memory.dmp

Filesize
476KB

Download
memory/5864-3224-0x0000000073650000-0x00000000736D2000-memory.dmp

Filesize
520KB

Download
memory/5864-3223-0x00000000736E0000-0x00000000736FC000-memory.dmp

Filesize
112KB

Download
memory/5864-3222-0x0000000073700000-0x0000000073782000-memory.dmp

Filesize
520KB

Download
memory/5864-3072-0x0000000073650000-0x00000000736D2000-memory.dmp

Filesize
520KB

Download
memory/5864-3221-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/5864-3253-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/5864-3260-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/5864-3074-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/5864-3073-0x00000000735A0000-0x00000000735C2000-memory.dmp

Filesize
136KB

Download
memory/5864-3345-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/5864-3351-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/5864-3442-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/5864-3433-0x0000000000880000-0x0000000000B7E000-memory.dmp

Filesize
3.0MB

Download
memory/6028-1518-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download