wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/Mobile_Legends_Adventure[.]apk

max time kernel
147s
max time network
148s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
19/03/2025, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/Mobile_Legends_Adventure.apk

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 2 IoCs

flow	pid	Process
93	4408	msedge.exe
93	4408	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE665.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE67C.tmp	WannaCry.exe

Executes dropped EXE 8 IoCs

pid	Process
832	butterflyondesktop.exe
5624	butterflyondesktop.tmp
1560	ButterflyOnDesktop.exe
3372	WannaCry.exe
5352	!WannaDecryptor!.exe
3112	!WannaDecryptor!.exe
2540	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe

Loads dropped DLL 1 IoCs

pid	Process
3380	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
88	raw.githubusercontent.com
89	raw.githubusercontent.com
90	raw.githubusercontent.com
91	raw.githubusercontent.com
92	raw.githubusercontent.com
93	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Butterfly on Desktop\is-C66EM.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-6O83R.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-U23VU.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-ORP7J.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1564774549\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1564774549\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_543717657\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1373031279\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1373031279\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1373031279\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1564774549\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1564774549\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_1564774549\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_543717657\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_543717657\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_569380919\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_569380919\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3380_569380919\well_known_domains.dll	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
2920	taskkill.exe
1804	taskkill.exe
980	taskkill.exe
4800	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868754574878865"	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-780313508-644878201-565826771-1000\{9AC1A5EB-65BD-45B2-B6F6-72304124619C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3280	WMIC.exe
3280	WMIC.exe
3280	WMIC.exe
3280	WMIC.exe
2688	msedge.exe
2688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3280	WMIC.exe
Token: SeSecurityPrivilege	3280	WMIC.exe
Token: SeTakeOwnershipPrivilege	3280	WMIC.exe
Token: SeLoadDriverPrivilege	3280	WMIC.exe
Token: SeSystemProfilePrivilege	3280	WMIC.exe
Token: SeSystemtimePrivilege	3280	WMIC.exe
Token: SeProfSingleProcessPrivilege	3280	WMIC.exe
Token: SeIncBasePriorityPrivilege	3280	WMIC.exe
Token: SeCreatePagefilePrivilege	3280	WMIC.exe
Token: SeBackupPrivilege	3280	WMIC.exe
Token: SeRestorePrivilege	3280	WMIC.exe
Token: SeShutdownPrivilege	3280	WMIC.exe
Token: SeDebugPrivilege	3280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3280	WMIC.exe
Token: SeRemoteShutdownPrivilege	3280	WMIC.exe
Token: SeUndockPrivilege	3280	WMIC.exe
Token: SeManageVolumePrivilege	3280	WMIC.exe
Token: 33	3280	WMIC.exe
Token: 34	3280	WMIC.exe
Token: 35	3280	WMIC.exe
Token: 36	3280	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3280	WMIC.exe
Token: SeSecurityPrivilege	3280	WMIC.exe
Token: SeTakeOwnershipPrivilege	3280	WMIC.exe
Token: SeLoadDriverPrivilege	3280	WMIC.exe
Token: SeSystemProfilePrivilege	3280	WMIC.exe
Token: SeSystemtimePrivilege	3280	WMIC.exe
Token: SeProfSingleProcessPrivilege	3280	WMIC.exe
Token: SeIncBasePriorityPrivilege	3280	WMIC.exe
Token: SeCreatePagefilePrivilege	3280	WMIC.exe
Token: SeBackupPrivilege	3280	WMIC.exe
Token: SeRestorePrivilege	3280	WMIC.exe
Token: SeShutdownPrivilege	3280	WMIC.exe
Token: SeDebugPrivilege	3280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3280	WMIC.exe
Token: SeRemoteShutdownPrivilege	3280	WMIC.exe
Token: SeUndockPrivilege	3280	WMIC.exe
Token: SeManageVolumePrivilege	3280	WMIC.exe
Token: 33	3280	WMIC.exe
Token: 34	3280	WMIC.exe
Token: 35	3280	WMIC.exe
Token: 36	3280	WMIC.exe
Token: SeBackupPrivilege	4476	vssvc.exe
Token: SeRestorePrivilege	4476	vssvc.exe
Token: SeAuditPrivilege	4476	vssvc.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
5624	butterflyondesktop.tmp
1560	ButterflyOnDesktop.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
1560	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5352	!WannaDecryptor!.exe
5352	!WannaDecryptor!.exe
3112	!WannaDecryptor!.exe
2540	!WannaDecryptor!.exe
3112	!WannaDecryptor!.exe
2540	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 6080	3380	msedge.exe	80
PID 3380 wrote to memory of 6080	3380	msedge.exe	80
PID 3380 wrote to memory of 4408	3380	msedge.exe	81
PID 3380 wrote to memory of 4408	3380	msedge.exe	81
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 1360	3380	msedge.exe	82
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83
PID 3380 wrote to memory of 5628	3380	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/Mobile_Legends_Adventure.apk
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7fff9ddbf208,0x7fff9ddbf214,0x7fff9ddbf220
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1844,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1404,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4620,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4608,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4844,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6096,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6248,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:1700
- C:\Users\Admin\Downloads\butterflyondesktop.exe
  "C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\is-8E9D2.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8E9D2.tmp\butterflyondesktop.tmp" /SL5="$6011A,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:5624
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:2596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
        5⤵
        
        PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=4184,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=2796 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6848,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3996,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=6904 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6528,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=7108 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7188,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:8
  2⤵
  PID:5864
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 246561742401939.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3696
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=788,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5308,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3672,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3964,i,4067263830092073893,1038356329236857773,262144 --variations-seed-version --mojo-platform-channel-handle=3968 /prefetch:8
  2⤵
  PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aa9afd16e8041e8c80250b50ea6899e4

SHA1
a3a698d431952253255c343f2b35f74e73e63088

SHA256
2bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926

SHA512
344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b52e18ff51d099f0d18413dfcb4c65c1

SHA1
8f7bb6ae41f9e9a2779ef64ec289b2fe997834b7

SHA256
454aef6dfba1fba30be6c118488065d62d3f2c9254258943187da7aa19506636

SHA512
49cfacbc58ef5309adcd792da2b9bcf3a24284de51952ee8bc976d1b4f5a47ed7425dbc042e3cf5366f06ac2c19f65b832c4a14e6bc7167cb3d3ca641bb202ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ff6aee2762c7d990c5836e8fd8d0159b

SHA1
aa40709906d6b13ec3a1ec8e9932e3450e4ba3ad

SHA256
a16ce9aba9716b0774e92809538d031acf80068598deced7079008dabb8999c0

SHA512
4d584b42664a611cacb82bbd2b4bff3419b94fb2871cc288890f18e070a1061a22818ef588ee25381e661cc336f878c8bcee4443b0935a7fc3af72aba803f436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d8eb.TMP

Filesize
3KB

MD5
fe9c76db9f6ea5414534f684fc17f03d

SHA1
3a3861b6e27ed36a4c198b101f25d7c3365285dd

SHA256
56cfe372c0ecb1d34e9ed755c7a457b1d3f6ca3ea7123fb892311432a22426b7

SHA512
05b96e6a249c37c7ef1b4ecbda6b6569d97bc24e6a638bbcc04a0a929551d65ad6b6aea2a890e5ca330045bd8ec3d1a97d04ec08d2b179fc4327528ecb8be402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Filesize
32KB

MD5
9ee6635465c39802b8c7a5851ba32601

SHA1
4b9e1e7a0d14b3691fcaa2a24cd8c8c684e76127

SHA256
dd91e619dd1a70ca83950c0997d80284ac53bf2aea2e663961e90260f2f51fa6

SHA512
35efbde55d28db4017a5d67b345667627b7ede2198c188ddda46f54f1a4700208e605fae85213d180c949a737fe7a58fca712caa12476918e15751f54cb75b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5643ff7b55cb805fba1d9cc382c292dc

SHA1
7bf662df9565bd3e85f82a2f2ff0d364a2e8d08c

SHA256
1608e07eac5e8e4af86d8069bfb3c28bb1935ab319e231d208d9d4ff51e3e7ab

SHA512
2c5a53dbf9d82cd9613d74d683776b9cd4df4f73206e240d6f4047904e2bf9829dcc46afc7eec460069d81ab6d02b3845124cc5839f8b75e25f7fa3ed0e088cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
8632b112da0e224f4ef8f3269924f196

SHA1
15dfdefa085bc24b1acbfbabe7cdb32ab29ebc73

SHA256
b7acf688f0012500a09565191e16d46f42279a2992ad0f19297bdddf595f4d80

SHA512
9bef727c0d26515783a09c9d263bee6cdb78e24537ca71ded65d888c48a0f16c3bf22defa45da3017811d4b23beea5d0efe8a07c18473dffe0714221940e7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
8ac2cc8b873fb6149d2cd4ec13ca4221

SHA1
7b64cd5e4f275c0b8764a1a493e15a6ed3a21098

SHA256
1fcfcc96acb47979519f70204557ed7c73a1b8f445ddc641e79caf6bd72fdf36

SHA512
af9e3ad5c7c38c6a34e6fe0519d45a61587cf576b37a7210820375b27b9b1bc24faa621e2e8c1f7e4a0a36fdef475e190d4ad5a7913d8dec232508ff806cc9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
c56d9ba383c926a96e5e253b4fbf65db

SHA1
6ebe591a1b95652bcda7d105d881e41db07528ec

SHA256
0c577ef4eed8c39c0dce4572d6a29fe435b2ce521958a16b0d22c00e95fde8e4

SHA512
79c3d6bd3a416cf3e665d8aa80990505e1169893e6d184de91946ba6264c5692d7bd58d2ab7d47659433ff802def64c363ceffd52fc084d73169a5c231d7fed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
fe2326d04e5a57ecdf3d4d45d3b8d001

SHA1
4c8aec346430e25fb098a9731c576ab8105f245d

SHA256
59af530f67fb725e361c849210bc4107a3bc1cfe1a9436a2b3df0ccba0a328bc

SHA512
d56a35d0eab5c74c1ff5950a2ff93d9895ce0d54fba33acfcc518606c30b020e86cb9ad8f76cb53c5e8e5c956ca86c34ef97f4fdff49775c17ffed40f40f32ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
d87c3b749558bf5cc0de52c07abf2c59

SHA1
3093f3a15525c4bbc22a10714dd4c05bbc0cf134

SHA256
a9f2aa3cd7991902062e88c30f8403530f1a8f9e097389a6c174bc43e0cb252b

SHA512
95ac7e5817a53316eb556a1073f2296c967938ddda4f2075f2a9205d14bda70d7cbf8924b95596f62f08d9b7effd1e8e16c079d2bf55207ef1e681f039b4647f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
7366e64407b240e972a027d66c8b5e74

SHA1
be2f9368a1a0860557a7c8aef00a2504079fc49f

SHA256
ab2c3b9b51a25354620a18a0dbe1923afd4c25438c294b8e556cac545d441186

SHA512
1d5179c8fc40cdee30220e4c4fc86a58a39dff6362077681d64b00bc162ba9b2b4ac2879599ea4821bf19800365d01e22afac6248d52295305dd9a30f6a72f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
18KB

MD5
83a6fde71785aa2233001d58a1d668fb

SHA1
c3231e8257bb1d2b3f6e485750dac18f45456632

SHA256
da737c826df42c7d3617051b4a3801bf3cc85955fd8666dbaf52b136379537b1

SHA512
4ff9f39689288254307077dd164b02ec42268904f8759d7f8ef5b9bace6c22582b3105c5e0c4315b28adb3c9dc1e8f030f37022cb36df95c141bc76dfad08767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
11309792f5cac5461b905d70e3d0b34d

SHA1
a486a32a2e69b2459670c600b14223797286a95e

SHA256
764d75b0a14b248ad82617826141e5cd54a3a1d87f6dbeeb6c492d13f4f71988

SHA512
49fe125b3b41083f1f87e2ff447f2b04449a902316ba0b5e6f00c102f38df39f1bb0ee424e7e166ae5a45f21619868a995b673743991356578496c2d3b7319eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
bb887be8763c4d8637f7074fa51eba50

SHA1
32e9bd495ddf3bc45be51dec9b706fd70553e612

SHA256
e0a606f4fbc2958a1adcaaf8ffd63c21546367411eff13181c41b3a56d25c758

SHA512
8235f91dbbf87a862d49625b9e57e0e88e033a36a44267ddf8f244f3e8c6636f407407bb747e4b07789db21f67e3c5c8bc2773433aa9a4bb1e0a8f2930a43469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
e796af5bc6da522aed2b32dc9fbafc25

SHA1
441a942dad501988faaee9057b0ab6671730c076

SHA256
03152da334edd28e07a65d10a7e6c538cddaa6a9ebc0d483a78fc3510fda7747

SHA512
b3121d14eb7bea7d26f47e8d91259f31b9e4cbaf9b1efaeeb3e36e246ceabf24734e058009bca4e6749ad7cb9c3673dbe10347d32fe3e0ad48a524a2cf9a20ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
29f458190cbfd30d6207ccde3e02b81e

SHA1
3d540d86af47c927e8aa0d20b54e0f2e78fb5634

SHA256
988e54cbdff1981d5497a98be2ba95b9b583d3f267246509a7daea193b13090d

SHA512
a31eb43a5935aba2e4b2c1a348b05bc5a6a6b6d0b03ecec4ae95f4c4ddb2d112c796e3ed5b310c312802ad90f826a8f9b42e89c75363bc299eb1be760899b8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
227a3e250e2a7fa731cfb5666d923c13

SHA1
3b94c41cb6e0401448f541563781b2c09026fea5

SHA256
d135244629a65eab3ebebb39556bb0a886ca27804ecca8c4b9e8bb410ae05726

SHA512
6606a9c693cf0081fbaa5200731c40c6ee186a8f238c850cf3f4e5c7c9ec8afd33d58ec18c9b5f5d95ff7cccc4b109b7eb17ed88fada25daa21a6081d55b987f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
82f5c6b07a9ecd1da422d34ae386b415

SHA1
086ee04a36babe199d33e1d588cf2b1f4aa519b2

SHA256
6c38eeff52972f5c1e5edbb7b1efc8949a6171dbbfd01efa053ae14bd89f6b9e

SHA512
dca9674a7c72c89baaef69e9b600473d62d8d0d77da511ea97cb006ef267b8fbce0a7cfbdb3bf96f4f504773b7323a5e001cf5800d4b3be401891e0b30d2c39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe585937.TMP

Filesize
392B

MD5
f9c2bdbcb3608e8b920c217a1c9cdff1

SHA1
feffb12e3c9a9f8510c186da9c8d670b8c25c1cd

SHA256
1eee8ffb9713cc5fd34df862a7ea192e299329a609c1b44ccf02096738e29dcc

SHA512
a7d416898885d5bf2acae49e39e51376d128fa1c95996b5bb73a5be173cd62a7bb795c939362bfa731a1d3f95b25d1a6d4583e85763dbcf9a8419475c29337ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db

Filesize
68KB

MD5
c485b2f56d3cd9104905a14de0e6f3ed

SHA1
011c8a86414ef18a36d5501534fd2cad5ae63011

SHA256
7f456393457a1aa02eddc37069d74a0a9e19062086a66333763c8127177c5c9c

SHA512
7347e4ccf623cc2f3bc05cfe15906e212bd2a1631dbef1cad20dcd8179b7d0184b1f6332116ee9b42f75ebfcdc36aa2dcfcb210c1a31bbcd5bd50a2c1db55498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
5fa83abde1794f77f71b8f328250d482

SHA1
930a38ea720318b901681b887368efc8ff6db479

SHA256
d3154d59f5b8df2546e6087d7440336b0b1cc2235795bdc208dfd36a55000748

SHA512
10ab7767408b329b48771b0410ec2b12bb1d3b042616fdd8704713ada66b58a23d18bc92371b93536eaa03a4f97ae0f997c17ab7f96f72b1ae3f3a30d914dc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E9D2.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
300ce75c3989151a79672a5a32456176

SHA1
20cb5ed67f42c2f15c764b1a4d7bc205d6fe5476

SHA256
b6e4aa7b3e65d5e8450f9d67119790103da1452470ef3520dcccea433f3b1d71

SHA512
fac72f045ddd7c204e7a596bd4576996d971ddf2a57b2493f801c8ed324fab89ba5386775853f691a7a151113f28265c465441061c86485001d57361f528223d

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
8dd6fd1557d0c8a7df0fee2536eaed8d

SHA1
b09682dad3a99b7b10f1be38b631a3c7f0c3a3d9

SHA256
2653d1ec2b727f9420f44656273c4863059218732e6081581884152854ca5c16

SHA512
a2f9dd82743806b6646418c951e3ef0874faf45c473afa3e0bf20cdb59e0c0a9f72146d03b2968418be5541c9153b571034724b315d3a951620bbcb936d0219d

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
3bfc860f9828ed7821c752afc68c0d9e

SHA1
d3eff570e6961d37204d759fb6d417cf0cb2b573

SHA256
e627b783d76df4e2a35776b4c79cb9a540d394bd3c9de7fe53575c6e6565e065

SHA512
56884f6cec23a6ad4ab41a5ff4d774901eae7e64bdce7b1db9663f90465c4457784a1512bc12ce512a04e78ee6e3a8d5fdd28d8dcc46bc31a3511a6fb7830476

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
5c0bb081ef27f5ab5731fa99a87a7215

SHA1
3a3f272d00e8be906aab016c0ed55b4289a0bddc

SHA256
81a8853fac2b92d556069e9114efcb4ab9e5abb3ff74da113471d4cc65446493

SHA512
2ea5fdac3ee86b2cc8fad0f6a2975c7a8fea7f8f5511019334408e737bf08e9007ba5adf850bb80c5eea4addccd2002ffa3f33da2cb3b5e01a7ee24f21b46dd3

Download Submit
C:\Users\Admin\Downloads\246561742401939.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
0930a486f1d5534852c4e0368b3b26f5

SHA1
afeaad9dfafcbb3f73f8a19e862e2b34a3ce195e

SHA256
b2fe3818684bc411b1bc4f411eae0991e647b75fe564c608f3a2892a8991afcb

SHA512
ea9879a834371e0294d5d9b07462217d696824f8454df59f1424dcb7266f11b2fd5fe240d822b31004f0f303f80ed318dbbdc6de20c63430f609ffb6e12db827

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
memory/832-524-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/832-477-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/832-542-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-2040-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-1095-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-2037-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-2080-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-616-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-2093-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-651-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-2105-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1560-682-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3372-712-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/5624-525-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5624-541-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download