wannacry | hxxp://fbi[.]bet

Resubmissions

30-08-2024 12:57

240830-p647vswerr 6

30-08-2024 02:12

240830-cm7sestfkq 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://fbi.bet

Score

10^/10

wannacry defense_evasion discovery execution impact persistence phishing ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDA71.tmp	WannaCry.EXE

Executes dropped EXE 11 IoCs

pid	Process
5768	WannaCry.EXE
5440	taskdl.exe
5756	@[email protected]
1828	@[email protected]
5544	taskhsvc.exe
5840	taskdl.exe
2232	taskse.exe
2260	@[email protected]
2348	taskdl.exe
5240	taskse.exe
6108	@[email protected]

Loads dropped DLL 8 IoCs

pid	Process
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1816	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmkaqiluwluphj236 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
119	camo.githubusercontent.com
120	camo.githubusercontent.com
147	raw.githubusercontent.com
148	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	wtfismyip.com
76	wtfismyip.com
51	wtfismyip.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Detected phishing page
phishing

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{84A0B2A0-5471-495D-8C9A-0681920E7086}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2968	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 320994.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
392	msedge.exe
392	msedge.exe
2692	identity_helper.exe
2692	identity_helper.exe
5044	msedge.exe
5044	msedge.exe
5872	msedge.exe
5872	msedge.exe
5508	identity_helper.exe
5508	identity_helper.exe
4420	msedge.exe
4420	msedge.exe
1644	msedge.exe
1644	msedge.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
5544	taskhsvc.exe
1820	mspaint.exe
1820	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: 33	2904	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2904	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4652	WMIC.exe
Token: SeSecurityPrivilege	4652	WMIC.exe
Token: SeTakeOwnershipPrivilege	4652	WMIC.exe
Token: SeLoadDriverPrivilege	4652	WMIC.exe
Token: SeSystemProfilePrivilege	4652	WMIC.exe
Token: SeSystemtimePrivilege	4652	WMIC.exe
Token: SeProfSingleProcessPrivilege	4652	WMIC.exe
Token: SeIncBasePriorityPrivilege	4652	WMIC.exe
Token: SeCreatePagefilePrivilege	4652	WMIC.exe
Token: SeBackupPrivilege	4652	WMIC.exe
Token: SeRestorePrivilege	4652	WMIC.exe
Token: SeShutdownPrivilege	4652	WMIC.exe
Token: SeDebugPrivilege	4652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4652	WMIC.exe
Token: SeRemoteShutdownPrivilege	4652	WMIC.exe
Token: SeUndockPrivilege	4652	WMIC.exe
Token: SeManageVolumePrivilege	4652	WMIC.exe
Token: 33	4652	WMIC.exe
Token: 34	4652	WMIC.exe
Token: 35	4652	WMIC.exe
Token: 36	4652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4652	WMIC.exe
Token: SeSecurityPrivilege	4652	WMIC.exe
Token: SeTakeOwnershipPrivilege	4652	WMIC.exe
Token: SeLoadDriverPrivilege	4652	WMIC.exe
Token: SeSystemProfilePrivilege	4652	WMIC.exe
Token: SeSystemtimePrivilege	4652	WMIC.exe
Token: SeProfSingleProcessPrivilege	4652	WMIC.exe
Token: SeIncBasePriorityPrivilege	4652	WMIC.exe
Token: SeCreatePagefilePrivilege	4652	WMIC.exe
Token: SeBackupPrivilege	4652	WMIC.exe
Token: SeRestorePrivilege	4652	WMIC.exe
Token: SeShutdownPrivilege	4652	WMIC.exe
Token: SeDebugPrivilege	4652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4652	WMIC.exe
Token: SeRemoteShutdownPrivilege	4652	WMIC.exe
Token: SeUndockPrivilege	4652	WMIC.exe
Token: SeManageVolumePrivilege	4652	WMIC.exe
Token: 33	4652	WMIC.exe
Token: 34	4652	WMIC.exe
Token: 35	4652	WMIC.exe
Token: 36	4652	WMIC.exe
Token: SeBackupPrivilege	5700	vssvc.exe
Token: SeRestorePrivilege	5700	vssvc.exe
Token: SeAuditPrivilege	5700	vssvc.exe
Token: SeTcbPrivilege	2232	taskse.exe
Token: SeTcbPrivilege	2232	taskse.exe
Token: SeTcbPrivilege	5240	taskse.exe
Token: SeTcbPrivilege	5240	taskse.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5756	@[email protected]
5756	@[email protected]
1828	@[email protected]
1828	@[email protected]
1820	mspaint.exe
1820	mspaint.exe
1820	mspaint.exe
1820	mspaint.exe
2260	@[email protected]
2260	@[email protected]
6108	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4232	392	msedge.exe	84
PID 392 wrote to memory of 4232	392	msedge.exe	84
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 4272	392	msedge.exe	85
PID 392 wrote to memory of 1484	392	msedge.exe	86
PID 392 wrote to memory of 1484	392	msedge.exe	86
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87
PID 392 wrote to memory of 1408	392	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1820	attrib.exe
4644	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fbi.bet
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff877946f8,0x7fff87794708,0x7fff87794718
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11587203073622211640,9185141796838187803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:5652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x15c 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7fff877946f8,0x7fff87794708,0x7fff87794718
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3796312643966423879,2673765361770470815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:5228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5268

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5768
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1820
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 198071724984058.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5408
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5548
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4644
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5756
- - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5840
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cmkaqiluwluphj236" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5704
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cmkaqiluwluphj236" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2968
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5240
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
1af671c4da6f415a5731a07611eb66c7

SHA1
2c43b0ebbba7943bb793212c7f98e14a868cfc0a

SHA256
5ee25dc159a6c4064e3286aab8327d942fc6a356f66b2c133748f73719353202

SHA512
07439512079b8a1ca12ea32ead654b561fabf5d3c273040eeadf1a55a5c42f0f320a3e3fff2fa608d8dfa9333f148e4959914748c08ccd1755ce75e0f8fb1dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
646f0bd64ee1617c3f718bc49683b5d1

SHA1
c741146021701e98702d56f07c0487d3a3b387f9

SHA256
42541d16c833118aeedea1bbb88654e957dbce1b5c64a0432285856cfdcd04c7

SHA512
81dacef0781255647ebc77df1ec07e45c3297474046674ed0d8b06b68141a23cc63b8215b3cbc4c973aecf5d2f461dfbe77e2f68b8a25323e1c395879f48f8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
23a7ed4241dde16f0ad2b411b9c5c51d

SHA1
c994e59eb572574c8f4318b8af2c52ee49800a0e

SHA256
536b9317507f59b82c339f99a00ff31005d5d44df223a1eddac7044562b70ec1

SHA512
7a92b8cd419d3a26591d4a081afb0a1b9f19f68365d1ca172584c145e2b7d1c24f1a3265e96199363e7ee9ec0ba1ef2f02ebefa987fdb12109d7369fc27dfa30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
7bba73d8e607094b22be627bd8698024

SHA1
2fec2692a036bc4cafc4378dec4c1a4b1686ee00

SHA256
a26c38b05e1e89c1d8993dc4352bd04a28ffa337f4c62cb81bc36e37bda7112d

SHA512
a9f5c499922335a59c3f7926446c0c2b59a7c80990bb059fbe6a530addf75a579a7ae7b0a5341133baebd0db360f420183fafc36f91b1046daa197fe3046263f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
749a9e7b9603aad62f3fbe1be3bd350b

SHA1
885cac1d5047a7b15f82ec8c327656913b7d6b91

SHA256
56aabe1b06a3de7789550d8a16bd254dfffc5b3f3d7c90bf82137815bcd8a697

SHA512
ba08e844568b3d19bd80608182f3cd61638a4dfe6d365e0e1f34b308abd2a7b6023c0af4ebf65bf0fafb52fe3b74ef9e80496d6007b5678a6827f49d469fcf87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
30b9cfb8ed3a267d46fc24c827fabb9c

SHA1
fd211482863532a8558a65a44d1eee15ea9daa90

SHA256
53f7c5d9b9c1270e86505057a8713ff354b76016a1373c8d1ddef6a154032caa

SHA512
abec07df248ccf4e1dbaca3a93fd7bad2d15aaaefe23fdbe58f3f9b1ba7abb543104c1c036e7f4bd720ad0bed2a75dbdaf27bdc31c545fab648b53be76c5a9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2dca28aa2f02468b17f5bea2b3a7b595

SHA1
46b3173556d20cf4df4b854f4f81a4b93dce4c31

SHA256
a55dc1dd6a880a0487321f2ac360d7ce5205ac24ff2a2e50a8a86bc3c939e1e9

SHA512
7435fbdac3e2e278d1630df4c1132a867b0e2b031c99bde8f05a655cac2113ff1a942df00c4dd7361ec569d16d6e8f033d0804f8e79ed045877fa4557c94d280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
07ac2a002b2d30877ce03be77088faff

SHA1
5402045c387a60a40a52b6fa9e9eb1ed8c0a803d

SHA256
af02db758da944f3782577301f9ee1c29589f7bc1fdc6f83a98c9fd4c5bd77b3

SHA512
3a7743f0f5e092e5ad15e6f97d452f0e8bb038f2cea9f0998d76747bf10888fba6277b443f8b9bbd80c3c9fead539621d066f10000ca0c44ae403011cdb267a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
c860ea78319cb649a9e64cb70ca32ea0

SHA1
65afbc92f1b25c8b6b66ea2a7183430108916e1b

SHA256
07d855c0ffa2391e030331f6b2a7a613ccec1bb9bbeca2efc828117bc1f6ea84

SHA512
d9d495d57343b7b8e32bd52dbeb23d29adc5cab09d79b13a3523ba3826b1b1eca65796a475e82c232dc13b757b962f40f7fa7d4616284813d23bb45c659d13c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
30017b317b91a05364b5611f3ad05a78

SHA1
c9886fc1dca171f52dc91146ab38b689e3b42f14

SHA256
45a6f180f4254c5c528f915dd1d8ff5abe58e4fe84c9239a8740ebb20d4e13c4

SHA512
bac47dd58b8c474b203706dcd12b759d95b784b178e8d073c7d428835e961679794d095ff201e31a739b172f47ffb088172cd225c133fc3717fb86f84e634bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d078ab11c26f044d67d707fb9b53e0ef

SHA1
76a75df9f428deb42afa741be4259c884dceaebe

SHA256
dad10cfacdb1fb4c46953abfc8c5ff7386395427ebb70a02ce93c45304603633

SHA512
f3ccf3910576020b50f823e8ecb5f99292c54d9cdb1a2a8d189bb53ac524ccd4f0d634c863226403d7aefe9fd53bd60c12b5e3b000338d0684ad8fbfe278bf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
684B

MD5
16c01ecfc1fa088691339a47f4a2d719

SHA1
dba7804fb7663a11fd902338c4aff828d1a78b7d

SHA256
27819f01ed50dadd99ea6c260f192d184fda923f75f7175a1132b5ab1f3d3785

SHA512
6e6f2fcafe6c9e7a100eb9fa0ee823b6f02d540fa7bd057320719d7122bf61dc86276e3e1d41e08914fa6399b5e1d61d7b6e84ffaa278fe04f602c509d1638c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
bbde76e2861083c5d8fdc397d0068ecf

SHA1
8966a6cdb96b071b5d42ac4fc9849c66b7445da6

SHA256
d3a488cc3636d1e3e4e14bb17cc22eac2683fce13929e899acf7ec2209ae3ae8

SHA512
6ecc412f33162f5bcdd84de149a370867650109b9002f0f175dacd1b4a60d385e5448481fdcfdc0c888fc719a67170f356aa13e572719669eb843cce479b17f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
397B

MD5
d9e666be39b1019a9b1b1983a8ccc53a

SHA1
5c129a5b0d7d6e01817f895d8a45f7184eb53708

SHA256
92504a0034f144db378068f3aef2455cd47bec51ceb009ba46f5345e1d497c6f

SHA512
22301b5a654735e39b2afc89912d8a38b71435f76ce3504ff68fc76fb026b40b603d506d770a792055d0dd7f125d93f3265023315ffeb184f60871c2bd7bb731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c3c69cd7bb0321c1a7807dcb6bb7680f

SHA1
77e041ba5558b2bc0fb2f5da6d9cba3f20d6f6fc

SHA256
ecf375c6e0be2da7f2e6f0022a1b8dca406dec1a1dec006627df1eae492c053d

SHA512
e6e682a7d4044341956cf3601f4fef716b898440f4d6932627c28c5674be13c78f33c248a036bbadeb64a782da856e1f98eea0af996661043a73f514d3b023d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39c3794f1dae173a7967224a06d77121

SHA1
ff4824ecea551cc7412e5c4ee7a676f2ad87c047

SHA256
6df58b30e25704aae04595585a97faf1d43c99592d4005121ad35b1bfd6706c8

SHA512
6f6168cb99da6907729e03cb8d7ab58ddb9b834a063d64dcec33132fffc9b70edb4a6e05acd53228519b48f5512335ca5efc32d2d272fba4212a0373ea4196a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9b15de7401e7e3202cb8323a4b78fc6

SHA1
16636f8387d053da976e32ccd1a28b450030fd0b

SHA256
0eca9a93afc5456e335f087d30cef3c6c017eff171ea713f1a7d280bac541e0c

SHA512
ccbb77eb370523d240e90328666ac61dc5a99c87687d6233c9b4da4390efbf7337dddc4a855ccda1b1c84a2511f3130fba9a4cec0f2c546fab9a6342cb2b9a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d860a8cc1c4b27960b8b6f75e14723e

SHA1
3b5c0da1b8417e2eb24e63ce900fe5503b971900

SHA256
21f3244310522c6a064d48b4028e8cc5209a6e6101be39709f87a12fb11c09a7

SHA512
a8f1cbc1ab993ebc742034440825e4666ecde18ad5224e566393e16b2514cb0ebd4b566b04f40c9e240f3d05d86b0134e41d090f02f40348288e931698e7167b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9650c6ae08f228c8fd31611b59c066ec

SHA1
905284043caff5917feadfc8cc57ec9461bac5ec

SHA256
21f0f5bb5d38ec1d118b9e581a30352475ef5ca2f1da8b6da8ed7fe8e84f4acf

SHA512
9f89641885dbfe7675a76a80f34b81b44222e859b44020f26a82487e698a734a3835dd5596be56e0a6b525ebcbada7d94f0fb3b540ea699a16295aea389b489b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9ce7da1951df4d5dc1b1f112643be7ec

SHA1
0c0ae9987bb8a7f3aaf2b70dd98d5c6283b308a9

SHA256
a1c6367b53ec1c2dd49b571bdefc7adef7dabd87bdbd23f266ef1b7103b04e28

SHA512
6f2ce96d435fbfdc081b2fdbfbd1d4bcf13eff717fe10f18fa318e761fccb15d7911e38a172fe07a3ff845e05b916ad139497650ba61cb1b2a063817b7b48088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
047bda729c65559558e46ad77ee7a3d4

SHA1
45c9fac45828e51b7e24c328baa9e3992c74c531

SHA256
6950107e36efd62c799f41083d7bf93d1a5e62041596dc831ba7cab448bf120d

SHA512
a8d21072ff41b47294f2fdb3f0398277c778c62a4a8fd9b23c1d6bb43475b0ada1a4604e1a3e295618f03891fb93e93329032e7debcfdd8a4725649074fd4ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2a927b954144e0e69dd45e2e2fce5527

SHA1
9eddba4f1c8414627ab93ed9ed13cdde75eedd01

SHA256
f4df597cc53c0ea644c190dc524a1780ff8c426602a5b1bcc32e1208b81adfac

SHA512
185105a3a8fcec3a1ce1db446efefe1967834393202c44c6ff74d07ca33247dd8c22115c758c04c1e6eef922f5e80472e676c1719589bfc2780039f04fa09ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ccb31555767413530ebd86c27d2aa4d5

SHA1
ca21a039fce7f25f6a39868fa0e2b30320f3eb1f

SHA256
2c75c68dd5e85c7c2367e9dfc926a2028990383a76c1b532de2a2fb41ab98312

SHA512
ba216ed282090ef9367099b98851f57b83150761f5db729a0825d76c342d5b71b8ffaa14a82daa8abb5dbc02a651225c126f8a88a93a15bc4b44807401021984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
b0b421b23d3daa8e3799de58d0b2cd3c

SHA1
2c1c3e759c645a87432d6eaa55d108f8f70b975d

SHA256
b4ef6b9f807aa97fa1f13b56701f1711365c7356915e7a0a4ccc312e298a769d

SHA512
25e6ec437a3b8b6a04590c70ca6ac698c3594d64f6be61b37e815543fb04a8324758c9dd325b41f1cffdaea6ba2e0890f8a295069fbdf49b7e780fc6da976169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
824e324c991d5b31a2e9dd97e8efdc37

SHA1
2a30d9968383639dc02eafda1461a40a0ba1e3f4

SHA256
b574f02e65bbf7921d8f0fbb2702ac4319f234b63f47b58856e57fb16e02049c

SHA512
1d05c4aeb2a907cbce527a1242158a03b3eb68b220481aca4c6ab25af87329a6af8a894a0911cb22415963ca6570a55fb87cee74aec237befd823b0f8ae53396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13369457572108917

Filesize
1KB

MD5
91a042834ef4225d5266c3c17d0c1a15

SHA1
3e3caa21816e41878bf2a066c4c6b823acd00a1c

SHA256
e2994164085669d505dfc7441da0a6f2b9df0e38fd55d088473e0bffbd027a47

SHA512
4071cb26ccd63350484bc12b72dc6c89cb48098055f17387a8f00c115dd1c786882f144d8627ed54ccf66aa31858b77eaf8a64e4af9ec7eb84735ab0296278e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369457572323917

Filesize
1KB

MD5
c25a5339b0c81f9f2b3ad100886cc7a9

SHA1
7143c2a34f284f0c7205f49de7acf3c141133e41

SHA256
c3b4b144313976f31faa729932cf569f8085ca7e480e2e1f74acce4ad5033065

SHA512
1c5ec02b3c5776468540425b6d12f6e2409c3bec4992cedd66b076b46f4ca3268a7f1c1d5bb76f70397a3f4e8dac6e94586b72d1c4bd548fb9e2704c4dde4a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
8372e61298a15115dcecb03c61bcba6d

SHA1
873afbd16289999dae9eaa91f522bd7b0d9039c7

SHA256
603b2500d21db9662b8e5b60f571715b75a343cd248593134b102309455b21e7

SHA512
e06d56dc613141634984cb8008d2bd84c4053b81421cfc9db146739ab400516adf846bca159353aa9923a4aaa7864c27c64f8407bb1aabd9eff7b5be326d8ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5737123473aeb21a9d23e614c6e1cf1b

SHA1
17accc23d343a8608b732cf20d53f804de7a7dce

SHA256
eed09de122fae455ff7234807d542c003df238f7da5636999291fbac15b16862

SHA512
9fd8474fd5ec0d1876c86f38bd1ff6a01f0455f922093387e5bfc4d312d6d1ba489a24c0ad80417262d3657d75cfe5b4c4b803dc3a6fe3ba6e0c86311ff18c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
08a56431b4e83a8ad12cd94961a2bda7

SHA1
0887ea4576db0f39b3756fbe11bdd1ef3d7e230a

SHA256
8345d469c16a9ed5698ca5106f7eacccf211c183f59c04a0cc90122eec957348

SHA512
d155454e6ff9be1f3ce23d7e5c066a3dcab395a8ed8dfc0b6939c69c47f8fdadf41de2b85ecf9b644e8accc7086dfc7a58414c17cbaf51455558e90178092dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3b59ff2cb664ff933754eb394d316e4

SHA1
926cd79cef1f1c72639b8714949376d0d59fb01e

SHA256
ac9bc4bbbc5cac3eb26917b3923fb47e5594a649937f35311ed7e75efa2367f2

SHA512
e82750c8fb894330fed9fe22c0165ffe4d868007557e79d83134087f26e8994cdea943e6f82fc66b45045f7998edef62185f8df507bb9752ac47d7d50e33d63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30e8294b0e00f150ffd5362893c72711

SHA1
d23b2977f8e6264887db75b5f3b7b1955e648ee5

SHA256
8843118adfad6629f85be3360bcad34285d6999327d9061e978e349e3ed8e2db

SHA512
abff82e77bde1904a582acef0ec6d0b27ffee328cad85819cf17598a6de099ce399f37fab71754d4dd9093d91f84a6ee018efe4a5fca820e787ffa333cc49353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a6bb.TMP

Filesize
1KB

MD5
531c13e590ab9705b022ed942cee391b

SHA1
ea108c72ab0bc8634157cfb50768d6e9ea3f1b7b

SHA256
9e19ea8e968f5f3f2b06e8379c9e5685de8c8b15d4d32d03bba60fb05fd46be0

SHA512
6ca745e887464098c0f64e15b28cf51a1e31873304e3be62738d2dd0f198eb4cb68b1422c818c69012da0b38f577001cd4ec05fe46f866d6e654fc7682ded604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
12a21a296ffe0684f232972b729e29ff

SHA1
c9c13e0252dc0159a78b380867aec7193f00fb12

SHA256
c513db94da3832e2ef34a972eb34cc28b074c319e52bd3191c4f686cb6a7ee09

SHA512
bfbcc889170918c0618336aae8a4969070ae63465e7602824be52eefc416c06bbf0ff311fb1ad93858f53b6fa18cbe67f35ee4d16f36a6bcfbe7b1949b9e7760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

Filesize
10KB

MD5
158c88fd9b61682bba0cd29a10b0472b

SHA1
08acafe1688e3be23d667fcabdffaf4a2672e77b

SHA256
8bf8b5134430e63dfe6f78bad876c9c7aa81e30cb924e5ee6191d2f36dfc4e74

SHA512
78f1084ebe0301c00678eb63e44dcc64ca636c8afed3d6427b2a3d5378f4019222cbde8cd896007cffaa36d33f47da8425ff8e08212d12a39026e3f0cda997d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
9431a2e686836a2d89b42bde33f1d334

SHA1
0379f6bc7a88c3bc45a960c589e31018eb5aca94

SHA256
bf2a109f6c2ee7ad5ee62fe44426934b7c84e08974dfb6538da8e13879364308

SHA512
5448efc08a44e66066f6caedcadc292a7c49d53c44624f1cc4e952bbb4d8dcc78ab4b6b6ca0090bce09b392915af9cfcaba78e36e12fd9cfeecc0b3cf768941f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
0976ec37e2a08fedaa7677cc0b40c484

SHA1
98f59f8d0e54f9ee99d2923e367de16933542fba

SHA256
825d3bb0a617c40fb943fd769bf363d2dd2f067a478528e3efa2c28a42188512

SHA512
492aa7e5093ff5a8c056547508f05bcd9fe5aa06135a8e7e4abd1fabcd5a1ab00bfebe1200d15ed91112de42d9edd0ac15ee484afac63bb44534afe887994a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
35e1f467bb8bf1229ff027bca8a13375

SHA1
994cda6e77d8e6ea0399152ee58f19f817deb89b

SHA256
25b4a525cfd77e4c2f6619b4010b1def40627f7482ddf84b352af73b32dc8814

SHA512
1a7376cfdda407077cfa0e6549856d7452cad7e08ab51e679769a35e6ee224c35b115b3a7532914e1fa90065f10e07a5bd7490413e58901e50a155f6a7806223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
6f43709f1f239bdc8d704a25d6d2e052

SHA1
1c61e48f21f7649f698a47d42069dfc9f2b26519

SHA256
7f3eb9cee7a3fdc502cd0272a999d1d4690466a5b3b98b91aa982ecbd9fca9f9

SHA512
b184af67e993e87ad489cabb3335b1e48312655a61d07e99f60c7a2a01db47d81884d14b07d11f76e685079a64bd4fa87f07ef2d231c647a0fb08e45e01775a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
621ffb1d2f7cd06d6a4dc28c1be109db

SHA1
2f19181c88a08e04bfe2952f9897822740a0e26c

SHA256
71156b7d1ee1274b47f8f7a0b4038adbf07179ab58a50972293ea16c4d57b00c

SHA512
4a93246f3e7e6d1264369c15525986b0b3ceeb049d556f5eee205ff6739faa1c33edf652393aad980cf299eb29452bfc8c8b9eebdb93da7ed0993ef82faae5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
0cad6fbb6ac18eba21c4375b0be29fc4

SHA1
48620505306ce6c6a959aaa897ce301f036c1a4c

SHA256
6f2beacb76ea6fed297f772f912cae6d94c2ffc9c30a5af402873e21cd3b51ef

SHA512
5ae87ab7a7c7c43a46fd267ee35b268c2e35861685789b49807252f55ca556db5e03e38755802594559a864afcbb861998aa6cbe929b615e7d40ee29b7191aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
03465e9be3bc26ada87d1e0c7fcdfa0a

SHA1
76924655d3c32c1940528246143d6c9d51420615

SHA256
2efedae9cfdf618dea1f33cd6bb8da43014f6038c453a53cc0b4c3b27e285bf5

SHA512
f4fa609dc0ce367944cde617f54a393252a29f17cc8e3038f367119090754b43587ac2a9e19520c0e52aaea0ef10579c5270cc13878bf250bf32905e1769a2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3ec592d7aa7c082cc6db07a0a92f4391

SHA1
3887e38d2d83591f90c7b0e5c9370f923592bbb7

SHA256
395ad5008c4e628f5879152bb05f1c5df71ab93e71186422b19d8fd80e971639

SHA512
28fe748c443072b08f692f868ce1269fb20000b9b3a3e26a2c4eef393b2fa44f81769b621d9d66a72a9c7593e6724d92268d1f7fe91577750d5f5d283a971df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
336e486d50a555b52655b6f8e6ef4a77

SHA1
20a9c9a0831d909c6161f3c3c7a04bfb00484bf9

SHA256
c397a6fd67142cc87665c22be9d1937931d94760ecec9c4e24f6694fdcc1c8f6

SHA512
3c7eec76b42eaebd58acd2150f45317e5cc36842bdf2153b27f0ed84375333f0bfb82030ded37ff0ed9061359e55581ee9c929b2ab94fe3a5585abb52dfcefb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
16KB

MD5
6d8ecee539fd72a67c3fab4b819de0f7

SHA1
35196c3ae4aae7b3080276c5cd4f8ba61476aca3

SHA256
9e049f18f515c3b2f9edca708efa3c0f26fb396bf0c8a4adf1958521f8c60525

SHA512
6c066e3961030199aa006f344dad784ca5efede8e740750b30ce96f51cdaf2aabf80acc1e804690db00d379a97552f3bb7abf207f66da9f622ef5e9e27081024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
010ae01af0172e2dde6579d1eccf6b33

SHA1
1a1e289d566a6b3f080a266c42aa54050094bd52

SHA256
520436f808626ae615fc137b256632b935b351a50dd8175ba2433ce1211555f4

SHA512
6ab33fae2e6f58bcf10839bd211fada9a7225f5b0956896c63868b4813311df7e9d09367a320fc7e40e5ceb3e1fb6fed8a4eed014be0693e16b183b6ad63e042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ff177a6bf03bb81ba9bac18b4fb5c24

SHA1
9f8b401d875bc027c0889e4d339514991928ec78

SHA256
27a2a9b287caf0d7dbe087cf0275b6c76451e50fd4df47a6bca2a1a9ff02872b

SHA512
b21a2ddac76bf015e6070297c053ddb3d16d8fa995a8519f49f39bbbd6b4c6da0e34a9105ca69c97776b1ec440b3a73723622c91d1fe4aa4502e10f6567ae530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c243ad39a4cee4bc962b93af961003f

SHA1
47a102770b706f654b9287e7a575ab6359196149

SHA256
60bdd2c122287b9fe7c333a3627e6e3eeb03b6ce7a8aaca3c198427a5a3eb7b3

SHA512
9cc85d2616901901fb4f216e149faf4c10e5a5608574e9ecdca3233cb3622f93a29a757b8253277e80f513bdf45fa4d76caa7796e4166dc24d6e7ff6666e271e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e95391b926311765c1a2c5439ec3471

SHA1
0997ff73d5cb15fc89ec1752fe72f7d5d3d0f92d

SHA256
af675cfb48de9151bd083568349319d53fecfb2c0df94f0dc734d547cd530ddb

SHA512
e60c5e67dd77230d84cd2f75326203f8e4627282829ac6ee3ecd4116b3d3169361037fe983ac7270b8e94531e2cda7a073e4787a34c071ef5d05e58fc8b70ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2023b2e3811c3ba5ea9cba08611de54b

SHA1
c1c642556e8d6bbc44360bae87083a0caa4648bf

SHA256
7f6e8be853a330d5d019c41563cfb6b1636a632fe643485975605e2a1d66ee42

SHA512
0f5f435dbe59d792717df25b34c1c603365b428c24fdf4cfb8be69aa0a96dfd28eccb2372f2c4c53a1dd992befda0c67b19e86f7c60497fd8dc36a64d090d931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
3a44202223e22cd64bbd9b2a006faf79

SHA1
83a34e593299c651e687036bb41a248085601690

SHA256
bd35e888894536aac2ee4d9b2bd460845daab41090aeca36cee8c356e1499597

SHA512
67894bc979fa26d3c8b768546e538caf374600a8773c45c6b844055c3e20b33fcc9eed955a2e128f9d63c0db73105db77fa9d8d286b9659010c30edbb08b120c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
958268e0fdb8b5f0b55bb63334db34bb

SHA1
f30a5d0a66af2b1cdaef5e8b444c79c51517ca64

SHA256
93d5c120a22dea1618e1e35e9cec34445ce69dc431012639b412e474e9709b99

SHA512
47ad90d4421b0c7c5af589babb06b11b247ad9868b129c312dfab755063ee584164f6a5c995ccef161d45fc5d6671f21c4c64bfe5a9df2193c72e9e52f36a291

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
12.4MB

MD5
21b50cf197cc7b373cdcb720dd237783

SHA1
e7deba31da5d64a2fc636a3b40eb64d6d1563364

SHA256
638151c63d481f44d98f6990c425d5f0ec47f4000a034aedfa8ba7c0bd254c0e

SHA512
38e8a32242df8545cc26797fe318101ac6871784fd2a4c33b7f453a02d1e1e8e6e5e6c454ffd8dd0bd89bcfe8f79910412b08a24747d29fb33ba62fc22505188

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 320994.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/5544-2151-0x0000000074260000-0x0000000074282000-memory.dmp

Filesize
136KB

Download
memory/5544-2180-0x0000000000A60000-0x0000000000D5E000-memory.dmp

Filesize
3.0MB

Download
memory/5544-2150-0x0000000074290000-0x0000000074312000-memory.dmp

Filesize
520KB

Download
memory/5544-2083-0x0000000074260000-0x0000000074282000-memory.dmp

Filesize
136KB

Download
memory/5544-2149-0x0000000074320000-0x00000000743A2000-memory.dmp

Filesize
520KB

Download
memory/5544-2153-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5544-2152-0x00000000741E0000-0x0000000074257000-memory.dmp

Filesize
476KB

Download
memory/5544-2148-0x00000000743B0000-0x00000000743CC000-memory.dmp

Filesize
112KB

Download
memory/5544-2084-0x0000000000A60000-0x0000000000D5E000-memory.dmp

Filesize
3.0MB

Download
memory/5544-2204-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5544-2080-0x0000000074320000-0x00000000743A2000-memory.dmp

Filesize
520KB

Download
memory/5544-2147-0x0000000000A60000-0x0000000000D5E000-memory.dmp

Filesize
3.0MB

Download
memory/5544-2081-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5544-2082-0x0000000074290000-0x0000000074312000-memory.dmp

Filesize
520KB

Download
memory/5544-2187-0x0000000000A60000-0x0000000000D5E000-memory.dmp

Filesize
3.0MB

Download
memory/5544-2198-0x0000000000A60000-0x0000000000D5E000-memory.dmp

Filesize
3.0MB

Download
memory/5768-717-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download