wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Analysis

max time kernel
349s
max time network
348s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-11-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6B33.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6B49.tmp	WannaCry.exe

Executes dropped EXE 28 IoCs

Processes:

YouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeWannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exesatan.exesatan.exediale.exediale.exesatan.exesatan.exeirast.exeirast.exeSatana.exeSatana.exeSatana.exeSatana.exe

pid	process
5240	YouAreAnIdiot.exe
5532	YouAreAnIdiot.exe
5624	YouAreAnIdiot.exe
5708	YouAreAnIdiot.exe
5736	YouAreAnIdiot.exe
5804	YouAreAnIdiot.exe
5896	YouAreAnIdiot.exe
5952	YouAreAnIdiot.exe
6048	YouAreAnIdiot.exe
2172	YouAreAnIdiot.exe
2080	YouAreAnIdiot.exe
3428	WannaCry.exe
5324	!WannaDecryptor!.exe
992	!WannaDecryptor!.exe
5376	!WannaDecryptor!.exe
5724	!WannaDecryptor!.exe
872	satan.exe
5316	satan.exe
1136	diale.exe
5540	diale.exe
4644	satan.exe
1960	satan.exe
1144	irast.exe
2848	irast.exe
4712	Satana.exe
5268	Satana.exe
5736	Satana.exe
5708	Satana.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exeExplorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{66C6F374-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Qexeu\\diale.exe"	Explorer.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

68 raw.githubusercontent.com
69 raw.githubusercontent.com

flow	ioc
68	raw.githubusercontent.com
69	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

Explorer.EXEdiale.exesmartscreen.exe

pid	process
3684	Explorer.EXE
3684	Explorer.EXE
3684	Explorer.EXE
3684	Explorer.EXE
5540	diale.exe
5540	diale.exe
5540	diale.exe
5540	diale.exe
5904	smartscreen.exe
5904	smartscreen.exe
5904	smartscreen.exe
5904	smartscreen.exe
5540	diale.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

satan.exediale.exesatan.exeirast.exeSatana.exeSatana.exe

description	pid	process	target process
PID 872 set thread context of 5316	872	satan.exe	satan.exe
PID 1136 set thread context of 5540	1136	diale.exe	diale.exe
PID 4644 set thread context of 1960	4644	satan.exe	satan.exe
PID 1144 set thread context of 2848	1144	irast.exe	irast.exe
PID 4712 set thread context of 5268	4712	Satana.exe	Satana.exe
PID 5736 set thread context of 5708	5736	Satana.exe	Satana.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\00d0c16f-1e39-4cf3-afd6-95526bd355b0.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241108175253.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5464	5240	WerFault.exe	YouAreAnIdiot.exe
5588	5532	WerFault.exe	YouAreAnIdiot.exe
5680	5624	WerFault.exe	YouAreAnIdiot.exe
5788	5708	WerFault.exe	YouAreAnIdiot.exe
6012	5896	WerFault.exe	YouAreAnIdiot.exe
6104	5952	WerFault.exe	YouAreAnIdiot.exe
5124	6048	WerFault.exe	YouAreAnIdiot.exe
1724	2172	WerFault.exe	YouAreAnIdiot.exe
5344	5804	WerFault.exe	YouAreAnIdiot.exe
5360	5736	WerFault.exe	YouAreAnIdiot.exe
5684	2080	WerFault.exe	YouAreAnIdiot.exe
4656	5268	WerFault.exe	Satana.exe
1944	5708	WerFault.exe	Satana.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

YouAreAnIdiot.exeYouAreAnIdiot.exe!WannaDecryptor!.exesatan.execmd.exeYouAreAnIdiot.exeYouAreAnIdiot.execmd.exeWMIC.exe!WannaDecryptor!.exeSatana.exeSatana.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exetaskkill.exe!WannaDecryptor!.exesatan.exeYouAreAnIdiot.exeYouAreAnIdiot.exeWannaCry.execmd.execscript.exetaskkill.exeYouAreAnIdiot.execmd.execmd.exetaskkill.exetaskkill.exesatan.exe!WannaDecryptor!.exesatan.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

4328 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3940 taskkill.exe
3472 taskkill.exe
4800 taskkill.exe
2696 taskkill.exe

pid	process
4328	vssadmin.exe

pid	process
3940	taskkill.exe
3472	taskkill.exe
4800	taskkill.exe
2696	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeWMIC.exemsedge.exesatan.exe

pid	process
3040	msedge.exe
3040	msedge.exe
2232	msedge.exe
2232	msedge.exe
3664	identity_helper.exe
3664	identity_helper.exe
1724	msedge.exe
1724	msedge.exe
5612	msedge.exe
5612	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
2640	msedge.exe
2640	msedge.exe
6052	WMIC.exe
6052	WMIC.exe
6052	WMIC.exe
6052	WMIC.exe
2244	msedge.exe
2244	msedge.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe
872	satan.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3684 Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3472	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6052	WMIC.exe
Token: SeSecurityPrivilege	6052	WMIC.exe
Token: SeTakeOwnershipPrivilege	6052	WMIC.exe
Token: SeLoadDriverPrivilege	6052	WMIC.exe
Token: SeSystemProfilePrivilege	6052	WMIC.exe
Token: SeSystemtimePrivilege	6052	WMIC.exe
Token: SeProfSingleProcessPrivilege	6052	WMIC.exe
Token: SeIncBasePriorityPrivilege	6052	WMIC.exe
Token: SeCreatePagefilePrivilege	6052	WMIC.exe
Token: SeBackupPrivilege	6052	WMIC.exe
Token: SeRestorePrivilege	6052	WMIC.exe
Token: SeShutdownPrivilege	6052	WMIC.exe
Token: SeDebugPrivilege	6052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6052	WMIC.exe
Token: SeRemoteShutdownPrivilege	6052	WMIC.exe
Token: SeUndockPrivilege	6052	WMIC.exe
Token: SeManageVolumePrivilege	6052	WMIC.exe
Token: 33	6052	WMIC.exe
Token: 34	6052	WMIC.exe
Token: 35	6052	WMIC.exe
Token: 36	6052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6052	WMIC.exe
Token: SeSecurityPrivilege	6052	WMIC.exe
Token: SeTakeOwnershipPrivilege	6052	WMIC.exe
Token: SeLoadDriverPrivilege	6052	WMIC.exe
Token: SeSystemProfilePrivilege	6052	WMIC.exe
Token: SeSystemtimePrivilege	6052	WMIC.exe
Token: SeProfSingleProcessPrivilege	6052	WMIC.exe
Token: SeIncBasePriorityPrivilege	6052	WMIC.exe
Token: SeCreatePagefilePrivilege	6052	WMIC.exe
Token: SeBackupPrivilege	6052	WMIC.exe
Token: SeRestorePrivilege	6052	WMIC.exe
Token: SeShutdownPrivilege	6052	WMIC.exe
Token: SeDebugPrivilege	6052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6052	WMIC.exe
Token: SeRemoteShutdownPrivilege	6052	WMIC.exe
Token: SeUndockPrivilege	6052	WMIC.exe
Token: SeManageVolumePrivilege	6052	WMIC.exe
Token: 33	6052	WMIC.exe
Token: 34	6052	WMIC.exe
Token: 35	6052	WMIC.exe
Token: 36	6052	WMIC.exe
Token: SeBackupPrivilege	4736	vssvc.exe
Token: SeRestorePrivilege	4736	vssvc.exe
Token: SeAuditPrivilege	4736	vssvc.exe
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeShutdownPrivilege	3684	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe!WannaDecryptor!.exe

pid	process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
5724	!WannaDecryptor!.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
5324	!WannaDecryptor!.exe
5324	!WannaDecryptor!.exe
992	!WannaDecryptor!.exe
992	!WannaDecryptor!.exe
5376	!WannaDecryptor!.exe
5376	!WannaDecryptor!.exe
5724	!WannaDecryptor!.exe
5724	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2232 wrote to memory of 2716	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 2716	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 1732	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 3040	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 3040	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe
PID 2232 wrote to memory of 4632	2232	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2220

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc34a246f8,0x7ffc34a24708,0x7ffc34a24718
    3⤵
    PID:2716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
    3⤵
    PID:1732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff66edc5460,0x7ff66edc5470,0x7ff66edc5480
      4⤵
      PID:4432
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
    3⤵
    PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
    3⤵
    PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
    3⤵
    PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4052 /prefetch:8
    3⤵
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6688 /prefetch:8
    3⤵
    PID:1068
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 1204
      4⤵
      Program crash
      PID:5464
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1168
      4⤵
      Program crash
      PID:5588
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 1168
      4⤵
      Program crash
      PID:5680
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 1168
      4⤵
      Program crash
      PID:5788
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1228
      4⤵
      Program crash
      PID:5360
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 1228
      4⤵
      Program crash
      PID:5344
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 1096
      4⤵
      Program crash
      PID:6012
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 1096
      4⤵
      Program crash
      PID:6104
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 1096
      4⤵
      Program crash
      PID:5124
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1096
      4⤵
      Program crash
      PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
    3⤵
    PID:3672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
    3⤵
    PID:5452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5612
- - C:\Users\Admin\Downloads\YouAreAnIdiot.exe
    "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1168
      4⤵
      Program crash
      PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3104 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1140 /prefetch:8
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- - C:\Users\Admin\Downloads\WannaCry.exe
    "C:\Users\Admin\Downloads\WannaCry.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 49171731088495.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5824
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo c.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4800
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      4⤵
      System Location Discovery: System Language Discovery
      PID:1940
    - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
        
        !WannaDecryptor!.exe v
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5376
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6052
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
    3⤵
    PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1320 /prefetch:1
    3⤵
    PID:4740
- - C:\Users\Admin\Downloads\satan.exe
    "C:\Users\Admin\Downloads\satan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:872
  - - C:\Users\Admin\Downloads\satan.exe
      "C:\Users\Admin\Downloads\satan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5316
    - - C:\Users\Admin\AppData\Roaming\Qexeu\diale.exe
        
        "C:\Users\Admin\AppData\Roaming\Qexeu\diale.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1136
      - C:\Users\Admin\AppData\Roaming\Qexeu\diale.exe
        
        "C:\Users\Admin\AppData\Roaming\Qexeu\diale.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_9bb52eec.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
    3⤵
    PID:3532
- - C:\Users\Admin\Downloads\satan.exe
    "C:\Users\Admin\Downloads\satan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4644
  - - C:\Users\Admin\Downloads\satan.exe
      "C:\Users\Admin\Downloads\satan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1960
    - - C:\Users\Admin\AppData\Roaming\Abax\irast.exe
        
        "C:\Users\Admin\AppData\Roaming\Abax\irast.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1144
      - C:\Users\Admin\AppData\Roaming\Abax\irast.exe
        
        "C:\Users\Admin\AppData\Roaming\Abax\irast.exe"
        6⤵
        Executes dropped EXE
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_481060c1.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
    3⤵
    PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,432004230957794533,10946402564282573806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
    3⤵
    PID:464
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4712
  - - C:\Users\Admin\Downloads\Satana.exe
      "C:\Users\Admin\Downloads\Satana.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 412
        5⤵
        Program crash
        
        PID:4656
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5736
  - - C:\Users\Admin\Downloads\Satana.exe
      "C:\Users\Admin\Downloads\Satana.exe"
      4⤵
      Executes dropped EXE
      PID:5708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 388
        5⤵
        Program crash
        
        PID:1944
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5240 -ip 5240
1⤵
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5532 -ip 5532
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 232 -p 5624 -ip 5624
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5708 -ip 5708
1⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5896 -ip 5896
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5952 -ip 5952
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6048 -ip 6048
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2172 -ip 2172
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5736 -ip 5736
1⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5804 -ip 5804
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2080 -ip 2080
1⤵
PID:5676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:5504

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5268 -ip 5268
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5708 -ip 5708
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.WCRY

Filesize
8KB

MD5
d5de02f90d52a51aa6b8d6b238680360

SHA1
78d63793b2b54cabade8535a017eaa908da3afed

SHA256
659a8dfc8e89a65f759c5a5872af00294f7259ee1d1647c22848b7636100afb6

SHA512
706f5ea5687e47b2693fac5f58859fcfeef73c5da8fd556100164a1b2344afbf796057b6a3c62d6ee8d3924895277cb6f54bc33980284218547fb5d1abc44bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png.WCRY

Filesize
1KB

MD5
179ac0bbbed44557ccf5a64eee4c21da

SHA1
55fd89fc059dab17e82384fa965216889d98e117

SHA256
e6162388c1900615173b4f1eff6f42e0068bd9d04a330783a2bdade95873d254

SHA512
7d21767bd40b47432093241d402ad2aa3392a3e908bf5b1d22c3e9ef8c94740c8cb988cd5e55858ec71d7432005856517050cb37d95b9a6a3c7f5c0e98e96dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\321dfda3-b937-460b-bc1f-f8f90c66b7bb.tmp

Filesize
6KB

MD5
b4c3063de0b18d4bdd4747124fe051b0

SHA1
88b379a886486663f9bd7c0422fee263533af5f6

SHA256
194167a9bbb186b9632a405575fdacf132cd9c9bf18e57a01f1b8870359c4d2d

SHA512
95d7b3db97926e3bed641359066380ce5e55983b9c027dc888542727e317b611f2acafdf13dfb8e23e190f2f8763df49452aa15ff2a8c492559483aaa5bd2c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\870c8fa1-d74c-4476-882f-b98d7765ffb2.tmp

Filesize
1KB

MD5
b4c983e01cce4ca36e08305f02066662

SHA1
8d20a8e6aff31c46e466fafaead823e994052530

SHA256
7bf199720543548c399f3c1b3dd3d81161a308c2e4e6f6213715e230c8bc1ac2

SHA512
90f5f87275c42ce6a7a4f519647f620359277baba2dbcdce02b208b9e67ac550137d3ead946430c9ea2ac9ef820f3b60057c4bbff15520c1b2f7566f7161115e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d0ea918f7b969511498f1a470f38ec62

SHA1
66bd01e5ab092595e3394ebfda890ff519e47ff4

SHA256
cd7c7c0dfe8c571ad762c0e3bd83c9f114382edebf542a8aa13442e8e7f9e9d2

SHA512
0525482b459e007f21e3f93bea5cbcad61a030f5220b7587ccb84079b01c6a1ebef8daed376cd9d1040598f05a09d0980b3619e3f8def0f2d176a7673745682f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e0a27bffcf8c7cb4312eb1a37a635c59

SHA1
3b3664082245348a177977740f1ff4ea57666a0a

SHA256
56417324336287f6e3db37aa2f9c517f55a42094aa389e9e931030306aa342f1

SHA512
d8d8b3007c020034f1ce6f8356b06fbcfb844c40e93adcd270d43c2da8de94322c9ccd0e612aadd287c153b5975946f651c1d2f39b89f967bd1b4dbcf44b63a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
649B

MD5
85db394cacbe42473d6fa67c53e0c587

SHA1
f1f233e0a87577001a15a49c792056174aa96db5

SHA256
292b7303f1fd94197099e8c3c3abc810cb33074d14ae9d5c378c1794b0457143

SHA512
67288fb346140735849f6070a8d189c843845d66d865d3d51768ff617bb1bd586133cb9589e371293e5ed5c7304448283215100db123ec599d8eb4e8c5dfa595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e51401bdf1eae288a9ba5d952ebb3aa9

SHA1
5effd82fee8231e1294fd404dd1f10caf5c41fd2

SHA256
a08ea4c022c5207583d92dedf27194f6d81335b90bef42e90132333220a52fa2

SHA512
f777e86f2eb64d2c31afba76f544f9a65392b0d77de18e16d6a2b5534f43febc083f757d37c0719b29b556c5f73b1238c0857ee7b9a6e18c0c9c99ca54133edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe587848.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
342c5a98c3db766793234ef7d4f5e6fc

SHA1
0522f050b05022c972585d655a13d6d90b0d3cf2

SHA256
f0b60cf9083551def87b186937f220b9b09d5280d2bd5726ded8b50c588ceefc

SHA512
548647fb901d4294da6145e79e90ce6af7d6551ac3dd1e8a060a815528973a6e9cf79f4531f50c4d655b5b003a46f46ea331c6c69a6a8c8cc486349a168c82fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca52cadf7df76dd9f81e6c6fe589831e

SHA1
9a9f3eccdf2746b448a255a88a36f67b0ded5410

SHA256
fc2ee0eb8783c037eff3a49cdbf0b2b49e012c5c9a30c9961ed798ca7393eadc

SHA512
979377204ff85be675e807e131c350eb514fb1b9f8c08b20fb0fc3dab82d69439196c8927a95aa65d57e7c5d52cdb9294a545c8b8404cc7439b8d2de642155e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
757f39b25fbd594c2ab5068ab1a16b12

SHA1
ae3290345e828f10bb55136645bd85887cf3fc50

SHA256
8b88c6188ba492cecc1dac0ba5951a12b0f6b938dbd5678eaa10400aa1004d74

SHA512
2ce6a6d3441276e4f9e151bd157e22c56a5ff9316ee632438c73993d7011d61facf7f3bcd640319bd4eaa41ce90e327096aae1aeb71bd9a054e95d39b2d84e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
946f3e26d2a2c77298562182d8cd6f57

SHA1
5d10e5574fe678ede47fb73eec4850166cccb215

SHA256
3a3ce6cace87466b77dd055efefb4fa17b52b99954cf8cdc2ad953b81f9a0cdf

SHA512
1c7244ca99e6d54fb24ea4fdb82811dd1b6db20c8aabdbb411316640dc8d964e383562ea731be7fdcfa313e062766294af95ce04a3f5ac53369793f6c659298e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cd5140b937f125a3ea8a84bb9550bf0

SHA1
33dbf9b9729bb54167aae5cf6a909d330eab5458

SHA256
dfca387fabd9d3fc698fe2661af2a9a2472eee7b2536e8a1cd8ce1b854f7934d

SHA512
831a42fe192b813c65f3eaefecff37427b66aa183cc92ae3b39075bd1031aa4a452330b51e09b0517c2b0f2f692308fb899ddd668ad37a3c5f4e701c29e92e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eeb5a54202b703a52f971c914719b6f1

SHA1
2ab28118e72331c5a320ce2cc7334ec493b5da93

SHA256
7b49b4c50c792005aca3f3d97ae1e723c2fb7488e79b2a04ccefc2c6cf95c904

SHA512
371247250299046a84ac36074c3a873d5353e9d98bf57b1abaf60be3e094fd81fd7edc6a781d165dc370ed459d4c1a1e0778f29cad01b0ab174e7e6e1bc11c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fcb047f644bc617ae5e531678d4bf5d1

SHA1
4a5304f532a44cba4d587434fca771c8fdaf979e

SHA256
a64c574926b859cc65be2e2251fbecdde3ae33657b535e74b6d1057d1346bab5

SHA512
3720d52d3693c4665f6df6cef20f24eb44c9aaa0beb9813d1fe658dd118c07e3cfcff8a4ef7d2dd2499ed0d4be5a8fd4fb3b39e0a1aeb1c8827d9e84b8b0d077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3312819b4d0d39f0f238ec26c5d2660

SHA1
a9e67cc9bee1a8d6a5c1c9b906efe07e6a6009c4

SHA256
3f6340ca913fe621bfcfbea9271f115732976ab6580bb2a3b03ef8c79207944b

SHA512
c592bdb90d247528c9a5bd40a128667bcd2ab6b904962c205faac54d7f4ee10fa2a9fccd36581e9a28aac3c85e7673433f8d25fe2866a4c42bc6b5ea7b702341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62f36cc6679792688cca151b77f28e65

SHA1
446d5efee4a03a7442b8951dccf60c840e7855da

SHA256
810b184047571f5811192388722fc37947ef588df7d4e544e9469b4b3976e7f1

SHA512
8de2ebcd529e325de97d13731d4c4aae7b188a7d10b73186125680f9f26af27f1321987b44652fd0b705c09fe82953395d7a988e3677b191cb0979a4a217a667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d3e6d8e2f6cef69668c291ef94deda4

SHA1
5990bad01fb23a0af1ab2a6114f48bd18190e998

SHA256
422dbc9dc608d6b44d193bcfa44309b1e75ea515a3b881cf121433182cddc3e3

SHA512
297f9bc0b8d6fed182390d0f02e575cdadf95d773963509fdbe84ca511ebbaea6a6cfeafb2b98daf864dd231ad1147c293225f264b8dd782648ffd9b16975ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec31bb0fd07b9a631db7000c70cb10b1

SHA1
77f06adb0591353aa5bfa37defdc28dfcad7fc62

SHA256
00e56a4812059eee4ea4a308dd62e18f24bf088a3f096c9ee0f33273a3265fd8

SHA512
8920d635662a74c0877c1f7385f7ad45728c8f1f833eb988b59676be82cf748ef4d2eb3a8bd48c3a6ba8dba78dce87808a696c6d3b3f2d9cf50d8cef20c01025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a7a906a35b8d9f5af1bc791bb07946d

SHA1
c379aae79d9c2cf7cb2908123263f77fcd687c95

SHA256
e88fc2c32cddc2a77839771fc13823b5ba5e59bcd5532cc6ba347fe62dc2ff4b

SHA512
450e2d4a2e03a4bb1bf2927a037021ae73bd93574d1c15bd581792697a6f81ebe3884fddb7409de8236d953b243289c141fb5350ecb81a8a0427c52370df2f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b95e46060a1005b6dd219f1d2b5b9e57

SHA1
ea71a620576cc425d2d3489c7bfccd0c44674398

SHA256
b154a96f7456100dae9374a64ea279f1538b3e2792f3a225dd73e3a8d442c329

SHA512
ba2ab075163847e36bcaf28ba2091c0b4d9fb02ebbdb82a3d460434e905df310080ed68a2b5a6c81da0d48728878b31ea2f456898b04d7696c858778d3f96127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
786cc0c86b7f1c4eebd183c878c96995

SHA1
46e627f78dc2650df9ac153551bd4e88cf2de240

SHA256
b4c5e83b54272343f92163cb408ed5192531c1d5011b544319c4f7a0435221d9

SHA512
4743ea17276e8c41577ed2d16862bcf5582dc578379c8464a3a0fee6accf838862c4907d091ac411fe6ef50e2d4aa2f5b3382b898007e50825260b91f722db22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f990f1015866b2e1a5a415dd79f8a646

SHA1
30e978990f5de4528e7da39e561cdfb55c1c79f0

SHA256
262455f53afd665608b3c2e65829ad9c065eaa6da32ba304a5ceb39c791b5c2b

SHA512
825c5efeec619dee9497b19d9bea1c384df4fe80cffd2d7fa06dc6717e5408c59c7bdcfd219ba8fc0821ea017f1d5490a53769dc7def97bccca1c03b9970ee03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dcc8d5ae14e83eec729f77f86c2e1fca

SHA1
74a86ca952a44ac37120f8753ce11025282cef6d

SHA256
f30e549011dee8be95d630553828213d38a66639df1a62887d961321459538ab

SHA512
e6c2814064e1a13e9a61cd99da5739cf57841560cabed14f720a6657c1606f02c767afe809fe4fc1064d39c80da203c55f36ddcec6003ad5ecbba54d2b041e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51108a6d3ec55dd5124ffe7fae97f57a

SHA1
cd87a49d1f2136c6bd292ea27c11823e5c60a300

SHA256
b123b52971cc538844c6f91f2ef29a3665dcbd649081b70b0915ff8c009bd4e6

SHA512
ab0d9052292facced8fbf41a51c31d9a7d618309e4c46308ee60ab79e3d4a5f2cee6bb222d98989491ea815642e1cf28d6167f9ba082a54ad17ff7bbcb039dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0596c0c028bdfe01876fdbf11e3bd4a9

SHA1
1a7cfe37398135cc91cc228919abcff897d53fc5

SHA256
b1864fcfc72f7627e3129e786d3bf151fa602c7f71cb852e6b192b683a944dc2

SHA512
c8df178f5f079a847a2ed2411a80aed49c99b137ba92201cfe42f59061087137728d2e0d6d39efe08177d60e002a5680525e95daf952abfc4509ade62ed1f324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e3530ab8eca9a1d522cbe7e6e3f31bb

SHA1
e1f010203b4fc37da8bcb66141caf1c9bc316cac

SHA256
75c6c72a54e8fb4b358cb2d059a468ac1c7c7a4f2073728bd2cc60e61fad92c2

SHA512
92ca1ae63f2537f3107fbf3af368e7533ecf0145eaefba5b98a759c786b7ad4f242291694333b87dfc41a2ebde6980817c14db533b03dfc12827058ec101e4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94c7a053a5c29c2ef9ef786254eb7582

SHA1
e8691088266cdf4bae2c3d796ffc2f544fc0c423

SHA256
926ef512cb7327af7f6e26437099687d2f685dafe3f4b8a95fd1e4832c984313

SHA512
0e77aff4ee4e1778c451cabe4dc4f2c4acf17ee65fa20ccec9acff28c8956c2d326824a84b015ca2b04f606a8e41bf4e8a7a8d22f2962dc9f7533d4b986c4f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b91e.TMP

Filesize
874B

MD5
3412291408f8e94e4dca068799e830a8

SHA1
a98b2c0b494c7c7aff4bbac13dd2c42a283de919

SHA256
4b9232f6465ab2e65458c3ca2bd15a1a7066da2028c8aa037cef492fc1e3d3d0

SHA512
0bb20d5c73264af2f5235046e79c7baaa12291a4500feafbfffc84d49f16010c507c9394c58d87961395dad5ec31180535114b8704185c4ddc36a7b44be11c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c4124e47-6b91-4012-b05e-209a20e43a59.tmp

Filesize
1KB

MD5
7fb8c534ac5422854d65a6738ab431ce

SHA1
e52595cfcc4f575b8a69f88a911c51e161412e11

SHA256
fc648bbb54a2dd88c0da48764465e13eefa4bc7932d1d51641e87e61f75a47a7

SHA512
91fc6b4e5e8843e65b929cf733867bf45d174eaa8959c1e344e29c9fb270ff46be3e3126de01644d91b1f45f2bef0d77cabdc73b5956079f8bc613758642f44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa8876506bca663ddae29197edd24d98

SHA1
e7378a222896ac6962344f44124fb2222ed89a51

SHA256
7a4fca6f1a6a7b274b553a9810377c4c65fe0b0ba0c444aeee568a8ebe9f6020

SHA512
78027867df1fb1506c608c1301329e1622bc81cccbf53db177c4de6c966fb26c848689096c4d716bbb93ff214346e1722209f11d65c3cfe30d6163bb8fbd2b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c0713fd268d570d66f5b4d828eacafa7

SHA1
c85dc8b40b756dbbf751d33172e18c0858b8f83d

SHA256
1653027dda077a186f0b518d1376e7411d88f0ccdd9fba42544741cb6a6e48aa

SHA512
1280fc8d6e02dbc656fb1d307a972c057b4de31122105d739fce4398ff1e473056a278d6db8c2bb5d8919d0bf417e751dca3df07d14da32dc316e1d533d88e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
40a703a55d1613f0be5f0d9ae2df60ed

SHA1
451c04472a50503ed6f36839f5a99d1afc4f52ca

SHA256
a38870e0d1c94d9826187e4684eea45fd9eb72f3a8127c1ad651cece7b3ffc94

SHA512
8e97d553c5aed0e70d0578b4ae19e04c7743146e868277228ee95dd28cfa933c7ffeee66dc6a6d5a452c7a7a6b7d43f34db9191025ceac3d2ba32d1b41f52101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
55131a84e2e2cc8d8c4dd93ac814aaa9

SHA1
78a406923f1dd75b7f6a81d9f84c810aca3eff0c

SHA256
d2d390678448c578ab99073d82c34fd4dd316d764fbcc50fed466c2a4869dfd9

SHA512
a16e0170a4c11d96ae988b3677aa4bb6d4f2b5953ee5494822cabb3f04bfc448ae907cf7a1827f345b7f2fb9c4d391b791f936319a0fe9ce35ffb2186d0226c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ddd3fb2b5b20dd53e0e2b42e6e2f8f70

SHA1
cbde8581ba3be30464cdb2d9bb02fa9742d12c38

SHA256
f04f8d5e56ad4fc552de6fe86c8dfd7f1c90e5b401b44c5fb5bd3941bf2322c7

SHA512
0d40afbc421ed4029f4d2e0b930f6afcb028ffcefd51964998295bfe9a526200d0c793be4be07f72f026b3baa5f590c779a648f88df54a446de2ed2a8ab75bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ecc245f76a35a048a9730f95b99c27a0

SHA1
31827ffa5424fa9d46f721b1e344e1853c247142

SHA256
7b050d82f230e90cdcade3e2e4570bf4a80dea080dc42514c3033ce487b5b887

SHA512
dfc58b1fdf532e9fefaddfd4af4435ba9a2cf74a50055e9072e3df18ba32749a6f6502395c2549bd88d9b8a8363163211a8b0bc8c024dfc4bd12c2253ad80122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b06d41df07a141cc4256b8f633fcca03

SHA1
30f3bc8ecaa3af73c629a89d5bc1408479c5111e

SHA256
509f0bea06106398ba8944345cd7ba386027647b55a7548eaa731bd3b1be2296

SHA512
b5afbee222e3687a87bec596952da978df8a7d31956adcb032c1a57b31f3e4c0db2d1cd1888f022070a5f4a2e675c4481b4d4da1abf14591a82b928ddb3bf5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
448ecfd836e6dbb8ef5ea0d01bd2ec9c

SHA1
ddc81be15ac1d43f9fa0dbd9386fbf29bc5d9da5

SHA256
1dda34cfbd27168c8c8041e58658489649609631110dfa53b79bf4aaa32b0456

SHA512
573cbf655037d4e67ceb53e4b73315ac9b2cf8ac70a139fffe4a98d65c7312faed90362221abf81c8e6733211811009411bbd0dcf64869856599020257848c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c57bad1d5507e058bb5f39b39940a63a

SHA1
30b1ed694a8763f0f3b755272bce9693c386744f

SHA256
39ebec56e7ac0ff18a146214ec0942ab013b8f562e267ce632a320750f97a12a

SHA512
94508d22e0b4717bcf44c9018d4a4d108497598722e706420202a637b8df84c5ff3c285aeb6b4f96b59c89e72ca78b82aa51ce46ab6dd4b4a75998d8bf34a510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
847e287a0cedad026d12425b246cb66c

SHA1
9481786fccc171c3884aa7dcf28f35b7ef43c817

SHA256
15ec0f6b116ed19f70a396af5efe306568ce1427547bf1f8e7f5a9c246196283

SHA512
50617f57d4cc36a4a6a4883b9d20ca265cd969742fda438b2eeeb47eaa8bd182edb17337731dcfacc6f60c14f8e2ff9de4146fd49ac1b1b78917383be6ee35b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b97bedceef6a86a3814ae0395649a0f

SHA1
6a588d538779f189f684a15e78dbe4079c6ba6b3

SHA256
fda8ef3f34751fe2d99b8c597d7a94cebf07e8f4888de83e7cf7b62325552f0b

SHA512
5d80760d80fd9e63f9876501c725920ae2f458a24e218a1431c6642aabc60e58c6366680ebef383929b47cb09b59530c402fa9f062d2985822237e6f282ebf9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ff4589eea975b205fd136ce14f2e87e

SHA1
65b58976fc41f1fc057dc2265379d31c90b84fd6

SHA256
aaafa6b9c4503834262f2156a2b9d0fdbfeb2bfeefddd893de3c398a60e3dd4b

SHA512
56443a002d6281d6c71ccdb3569deb1d9c959a5f006c30cced44479c63769130f6098a80b507fd7abff536ea123552175368b91880f1065e56b2304bc4e164b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.WCRY

Filesize
1KB

MD5
572caf984365d0ad6e9e19f106015c2e

SHA1
727439f5418f6b35a0373cfa7d5ad16a9f077890

SHA256
70939684156bb76019cec748b991d6a821c03e08096019a02e26dfcb80ad5bd1

SHA512
a6b8a6f765f7e93a856d9e31178b5d37c129a39d2ddd92e43d22e27c3c45f03c5afd18c3987f605f91c45fe0bf990f6a58d40a680193f5654121a3cfc8d45e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c2603352ec31b0f4cd6d81edb8b201c5

SHA1
e77ad9ac6f04dbe9d82d6f9567714be3d28790d5

SHA256
704479db31d50943b3bc98dae4096705dc494955519d277afcc67bbf3512ebd7

SHA512
23e3ea6932d98fb9f98c11a096641c0f1fcb06dd8a6389499e4428210bde2b541b912e63ad059be0a1e40a9bcb4520634cac940399800490d37f2402e9d08391

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f9399efb5d2e1e252cb13c666708d35a

SHA1
fdfefb783d5a3c4b88f96656c0ca5e775af9572b

SHA256
27def3a4f31f691cd726551397b6123618cea82366f07459700fd6f28b2300f2

SHA512
7b41383a08b3e9fb6e5d2f5113787cabaef6a101a835e6a42681cc157dd769771b199f9e1f574b26c7d93845fa62d9a206545a0d126801c65b0db00559618874

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
13195d8407e3abcfca72ce1787a8593d

SHA1
c254fc538dddbc684a828fa7ab255bdefdbcd3fa

SHA256
98b457c93a54209003a1dd16fba53837a8b2489c9adcc01e6f73bec0735c1c11

SHA512
b7bc5061b3006e97f1e99f9b9f58327ab2e73b162ad49050704954acec2788847c0e312e5abd05ddb12c27345a9584217ae1796a4fac15eefeaf88590316575e

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
fd69cb55132690a14f962cff43a465ca

SHA1
cf5aafcfab0d0744b93672b232fdcb84d36d5255

SHA256
d0d5e3e1062824499828402b94a418a8bf052bc1e68a56bc7d6185c8bef124fb

SHA512
faf18c9fa94687adce47100e6b83380bff2e1d7d8fe5e52f75a1919144d71cf14a5baae951dd05a1f44becd4ff17c2cb6632750f385f6e4bc4d568e1ed476904

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
bf2bff7d7500bd1f5a5c1f6156b0386d

SHA1
40b140bc2217ad655f3be26bc69e30f43c8d2576

SHA256
6f6b0a7442c487f25b598a8c41de190af2f09d5110326b185a4a040b30513fd7

SHA512
a3fc734ca7445bfaf9d2e7c26792b2eb54cab25d584ba2a2d473c6dabe6eee30b51e78840cbba11d586c390259fd5c31aab79e278a260e149fba90dc8281dbb9

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
2fabba13194945e093f52de626939824

SHA1
547a66b1eace203b2893aae42492c99cb3e861b0

SHA256
cef71aa64f8ae03b9afe24ef971a02a787c3a8b529f0e534c4aec904d881c4c7

SHA512
9052d6637fd9d5a878bcab87f0d4998eec1123c232312b2ec54d07e88980b2a17daac79422b9b6f6942dcf7a5a88896b78faf125c202e9084698fc4cff5eb336

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
2f0cc254507f85891deff217a8a09130

SHA1
0f802c820a7a50324b613d7cd06832942b58269e

SHA256
e4494ba0cbea9a828728235660e478cb625b0a3331360b148a192543cc68eb57

SHA512
e64e607f60632671833e28602d72c5b24299116bf055ed8ced568ba65078446bf4ed8695a85e2cf42629b3b34d94d25a557dacf074ca6975d0615ea69d4b60c3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
704eb8495ff28508f3275c34b86c0185

SHA1
0c2eaa39e19609ad21dff7d75a91c74c80040761

SHA256
3cb6067be10f98b3f113b993f14e1a6748adb8b340da2d15cb9b61aff92dcae9

SHA512
7c49fdafa785d54c85872d3ce3a620f507532b74ab21d2ef16b06f325f9456e6eeb5df079c546566933b8a7ed859b9e1267a8d8e9a5e39b9b01309eabd2cb291

Download Submit
C:\Users\Admin\Downloads\49171731088495.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 125457.crdownload

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 536952.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 565267.crdownload

Filesize
184KB

MD5
c9c341eaf04c89933ed28cbc2739d325

SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 759734.crdownload

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
f40c152aa244d51b84fdeb27cf3a4cad

SHA1
a92b9c3e8fb7500f7e5bb337f3a31350e6cf3a7f

SHA256
4c223ac9988debfe1ade7ce70e267cf07d5c0d02b590cd25e815d9a5a0697e29

SHA512
6febb0e25aad4e085a19a075574de6f890607e6c5c894078dc9c664194f0046830b635d5279dd048b0fd7a015f6bac54b420e6d7c515a10823c7781fd41a5835

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
441B

MD5
82328c6d9c760d8ca12a13adea364cf7

SHA1
f55bb901978cc85beccb1625b3b37fe59d852443

SHA256
e2bdbdcea36d3730deacb6ab8b12b16e6bfe66694ff8a652cc2e323ece5f528c

SHA512
f0eb2706cdb76a41a75b5e448a5a6dd2dd18d8281e578087009b92bcfd190d44730b12c9e223e17eaa5a673195b717164d75fcdbabcb7eb6dc99cc9728a7207b

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Pictures\PushSelect.gif.WCRY

Filesize
485KB

MD5
af3c202a5d9f0460d63ea31ac95b6881

SHA1
eee5e6210da0259464d2ef879e3b31429697b27c

SHA256
5da2a148bc458473441a87272fc3cf8b79dfff878efd0f92e2d566d96d63e9e3

SHA512
f0ec28ac4e55d7668fdf569efe5e35fc581fb0a4ffda76848b2cb4465801fd300201cbd69b5ea7f6b6c45b37391df69c4d89d60e4eadb58851afbd30fe456c39

Download Submit
\??\pipe\LOCAL\crashpad_2232_VMCDMPHCXQDTGKWZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1136-2018-0x0000000000F40000-0x0000000000FE0000-memory.dmp

Filesize
640KB

Download
memory/1136-2028-0x00000000013B0000-0x00000000013E2000-memory.dmp

Filesize
200KB

Download
memory/1136-2014-0x0000000000DA0000-0x0000000000E3E000-memory.dmp

Filesize
632KB

Download
memory/1136-2000-0x0000000000A20000-0x0000000000BBF000-memory.dmp

Filesize
1.6MB

Download
memory/1136-1995-0x0000000000170000-0x0000000000200000-memory.dmp

Filesize
576KB

Download
memory/1136-1983-0x0000000000610000-0x0000000000906000-memory.dmp

Filesize
3.0MB

Download
memory/1136-2012-0x0000000000420000-0x0000000000442000-memory.dmp

Filesize
136KB

Download
memory/1136-2029-0x0000000001050000-0x0000000001068000-memory.dmp

Filesize
96KB

Download
memory/1136-2032-0x00000000030E0000-0x0000000003162000-memory.dmp

Filesize
520KB

Download
memory/1136-2031-0x00000000030D0000-0x00000000030DC000-memory.dmp

Filesize
48KB

Download
memory/1136-2030-0x0000000002D50000-0x0000000002D84000-memory.dmp

Filesize
208KB

Download
memory/1136-2013-0x0000000000D70000-0x0000000000D9B000-memory.dmp

Filesize
172KB

Download
memory/1136-2027-0x0000000001020000-0x000000000104F000-memory.dmp

Filesize
188KB

Download
memory/1136-2026-0x0000000001470000-0x0000000001570000-memory.dmp

Filesize
1024KB

Download
memory/1136-2024-0x00000000012D0000-0x000000000136D000-memory.dmp

Filesize
628KB

Download
memory/1136-2010-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/1136-2023-0x0000000000FE0000-0x0000000001007000-memory.dmp

Filesize
156KB

Download
memory/1136-2022-0x00000000011B0000-0x00000000012C7000-memory.dmp

Filesize
1.1MB

Download
memory/1136-2020-0x0000000001080000-0x00000000011A3000-memory.dmp

Filesize
1.1MB

Download
memory/1136-1982-0x0000000000550000-0x000000000060D000-memory.dmp

Filesize
756KB

Download
memory/2220-2016-0x0000025384B50000-0x0000025384B67000-memory.dmp

Filesize
92KB

Download
memory/2220-1985-0x0000025384B50000-0x0000025384B67000-memory.dmp

Filesize
92KB

Download
memory/2344-1990-0x000002286F190000-0x000002286F1A7000-memory.dmp

Filesize
92KB

Download
memory/2344-2007-0x000002286F190000-0x000002286F1A7000-memory.dmp

Filesize
92KB

Download
memory/2948-1991-0x0000020623F80000-0x0000020623F97000-memory.dmp

Filesize
92KB

Download
memory/3016-1984-0x0000022D5C070000-0x0000022D5C087000-memory.dmp

Filesize
92KB

Download
memory/3016-2011-0x0000022D5C070000-0x0000022D5C087000-memory.dmp

Filesize
92KB

Download
memory/3220-1986-0x00000192F4340000-0x00000192F4357000-memory.dmp

Filesize
92KB

Download
memory/3220-1999-0x00000192F4340000-0x00000192F4357000-memory.dmp

Filesize
92KB

Download
memory/3428-574-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3684-2005-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3684-2004-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3684-2003-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3684-2002-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3684-2001-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3684-1987-0x00000000027F0000-0x0000000002807000-memory.dmp

Filesize
92KB

Download
memory/3764-2008-0x0000019291290000-0x00000192912A7000-memory.dmp

Filesize
92KB

Download
memory/3764-1992-0x0000019291290000-0x00000192912A7000-memory.dmp

Filesize
92KB

Download
memory/3784-1997-0x000001EFB7C40000-0x000001EFB7C57000-memory.dmp

Filesize
92KB

Download
memory/3784-2015-0x000001EFB7C40000-0x000001EFB7C57000-memory.dmp

Filesize
92KB

Download
memory/3820-2006-0x000002A617970000-0x000002A617987000-memory.dmp

Filesize
92KB

Download
memory/3820-1988-0x000002A617970000-0x000002A617987000-memory.dmp

Filesize
92KB

Download
memory/4036-1989-0x0000028827EA0000-0x0000028827EB7000-memory.dmp

Filesize
92KB

Download
memory/4036-2017-0x0000028827EA0000-0x0000028827EB7000-memory.dmp

Filesize
92KB

Download
memory/4352-1993-0x000002D70AF00000-0x000002D70AF17000-memory.dmp

Filesize
92KB

Download
memory/4352-2009-0x000002D70AF00000-0x000002D70AF17000-memory.dmp

Filesize
92KB

Download
memory/4432-1996-0x000002CCA6B90000-0x000002CCA6BA7000-memory.dmp

Filesize
92KB

Download
memory/4432-2021-0x000002CCA6B90000-0x000002CCA6BA7000-memory.dmp

Filesize
92KB

Download
memory/4768-1994-0x0000016F70970000-0x0000016F70987000-memory.dmp

Filesize
92KB

Download
memory/4768-2019-0x0000016F70970000-0x0000016F70987000-memory.dmp

Filesize
92KB

Download
memory/5240-380-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/5240-377-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/5240-381-0x0000000005810000-0x0000000005866000-memory.dmp

Filesize
344KB

Download
memory/5240-376-0x0000000000BE0000-0x0000000000C52000-memory.dmp

Filesize
456KB

Download
memory/5240-379-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/5240-378-0x0000000005B00000-0x00000000060A6000-memory.dmp

Filesize
5.6MB

Download
memory/5316-1973-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5316-1978-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5316-1974-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5504-1998-0x00000187E3D80000-0x00000187E3D97000-memory.dmp

Filesize
92KB

Download
memory/5504-2025-0x00000187E3D80000-0x00000187E3D97000-memory.dmp

Filesize
92KB

Download
memory/5540-2050-0x0000000004D50000-0x0000000004D67000-memory.dmp

Filesize
92KB

Download
memory/5540-1980-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5540-1981-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5540-2051-0x0000000004D50000-0x0000000004D67000-memory.dmp

Filesize
92KB

Download
memory/5540-2052-0x0000000004D50000-0x0000000004D67000-memory.dmp

Filesize
92KB

Download