privateloader | 01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
01-08-2022 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
Size

1.2MB
MD5

74fb663087b66cbbc305c940bd1090e6
SHA1

8fed8e979fd86ef3712ceb4d1a47d1bd670837e7
SHA256

01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4
SHA512

1e7d224df8c2d07a9811bfa1548c7eb6fb5fd41f75ab4de888d410738ee77fa3673fc71afa31f4b094d2788154b6b5f1dfd8cb73bf510eb59068069a30b0a738

Score

10^/10

privateloader raccoon redline 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 alex f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer loader spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

alex

185.106.92.128:16509

Attributes

auth_value
4f79d5b8f5aae9e19c9693489b4872c0

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.84

rc4.plain

Extracted

Family

redline

185.215.113.46:8223

Attributes

auth_value
1c36b510dbc8ee0265942899b008d972

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://193.233.177.215/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

rc4.plain

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3792-663-0x0000000002440000-0x0000000002456000-memory.dmp	family_raccoon
behavioral1/memory/3792-668-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral1/memory/3488-830-0x00000000004C0000-0x000000000060A000-memory.dmp	family_raccoon
behavioral1/memory/2720-843-0x0000000000030000-0x000000000003F000-memory.dmp	family_raccoon
behavioral1/memory/2720-882-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon
behavioral1/memory/3792-902-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral1/memory/2720-965-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon
behavioral1/memory/3792-1022-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
behavioral1/memory/3268-538-0x0000000000900000-0x0000000000944000-memory.dmp	family_redline
behavioral1/memory/2160-563-0x0000000000FE0000-0x0000000001000000-memory.dmp	family_redline
behavioral1/memory/4156-565-0x0000000000820000-0x0000000000840000-memory.dmp	family_redline
behavioral1/memory/3768-568-0x0000000000FD0000-0x0000000001014000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	family_redline
behavioral1/memory/4932-923-0x0000000000990000-0x00000000009B0000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

namdoitntn.exereal.exeRoman_12020.exesafert44.exetag.exekukurzka9000.exeF0geI.exeg3rgg.exeEU1.exeHappyRoot.exe

pid	process
3268	namdoitntn.exe
784	real.exe
2160	Roman_12020.exe
3768	safert44.exe
4156	tag.exe
3792	kukurzka9000.exe
2720	F0geI.exe
3488	g3rgg.exe
4244	EU1.exe
4932	HappyRoot.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Control Panel\International\Geo\Nation	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe

Loads dropped DLL 3 IoCs

Processes:

kukurzka9000.exe

pid process

3792 kukurzka9000.exe
3792 kukurzka9000.exe
3792 kukurzka9000.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3792	kukurzka9000.exe
3792	kukurzka9000.exe
3792	kukurzka9000.exe

Drops file in Program Files directory 10 IoCs

Processes:

01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\g3rgg.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe

Drops file in Windows directory 11 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ae9f03f7bfa5d801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5c0ca3eabfa5d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{1F05AFF2-B81E-49ED-8C0F-9F071E239F47}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "366154385"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8c7988d5bfa5d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1ca368eebfa5d801	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 156fc1e8bfa5d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\AA549154B737EF29C = 030000000100000014000000aa549154b737ef29c55000081fdf1f8b3ebb40910400000001000000100000001e9b655c2563f0f8b7cf2fa979f89a920f00000001000000200000001c169fb8bea23cbb597a7d0330f5f2c6fb82969934da9d676058363ca94854c614000000010000001400000039c8e33fb6d4c223863e8a9838ee2fcbbe567a13190000000100000010000000baa9030082855b9e52cb543799fa36f35c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e7050000308205e3308203cba003020102021333000001d92cb2c0c2c9e054b40000000001d9300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3232303630373138323634325a170d3233303930373138323634325a3081a5310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3123302106092a864886f70d0109011614777362657870406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d345fb3624263a3b1856614f76c90c184e75fc1ab123f51b38c31a32311a70bbec8667c0831a74b00255149eac86eb0b2e4bc21010346a0bfaed29bbba29ab5e69a8b707f955c12eeb575a70cfeccd7ca8de3de7c883dd7bb79e85c8062128750eba60d9bcb6e0a21a4e97deef8cdff249e7d7ed312b8ed769c00c80629fc31ffe942f792d67b8e360f084858065ca7c0114a231072d7380b9ee828b1e717bc81938d5c58b75f12f457d4320f90a11d1d326e0b24c69dcbb185054bf8ab0c136f8f38264911aca2edaa93754a9685eb0878b62800020838f656e4d7d3aa53a0cc07d76cfbc7d77f570346cd2bba3836d24428c2723dd6e39afd107c0f7889bdd0203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e0416041439c8e33fb6d4c223863e8a9838ee2fcbbe567a13301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c36cdc2a65c64372b6118a63a5c7ed1ecfa5b939531465ca9af136bd76d942a74ad37481be984496cd20deca7b469dc4f2e439db9e2e0eafd2b4dcab7c7b0d131a98a88e9c34787d209fe84fd1bf1031c31a63a794d8448654d9f6e1267ca9513f6d9bb17be844f225a15133665568503b50bdd2b74e1199b3afbb822dc3d9b07147f374427991b7d04234dfb77c7b4518a554b65b69b318ff2be7e541762de2726789d01f2f866523861aea19ff8ccbfaafc7d78fc242aca7f74d6ba335b4c3d7c7b5b1f5b8dbb6b3104f24dbb8f95b39ecfbdc1a4469ab254263371e8f231c32c68c574290c81c388c3148200344d9b9b3fa8bb6394ac2536f66803302873f3f857bbdbe279d9bf7d2df3422c9bf927ef7b8eb92e872fdfac7cd1fd185847555b4239740734d043b167098ede21a83d5b35431fbd4768905a474218801cf320084043f608133bc8c26752c6b15210859dad17f3cdb1f8546c8cde2b5ccb6634681aaf88339eeab1ad92b8e4babf96333a99e6ff7ada19433913a8101d63b36fcccade21ec6a41cdb44d3abad7c4065368e51eb46b5c237c37bbf04c89871e2e0da20d2e569eaf67b19787ed46c2038faf181bd00cd1d5ff1fee0ad70b457528415fce74f37c22e3bfb1b17d57e59200625989090a2bb1e3b238cb348768a98126537198be58282f64856420280d5858fc0575182dbc6d1fb4f7611b339babc	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

real.exeRoman_12020.exesafert44.exetag.exenamdoitntn.exeHappyRoot.exe

pid	process
784	real.exe
784	real.exe
2160	Roman_12020.exe
2160	Roman_12020.exe
3768	safert44.exe
3768	safert44.exe
4156	tag.exe
4156	tag.exe
3268	namdoitntn.exe
3268	namdoitntn.exe
4932	HappyRoot.exe
4932	HappyRoot.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeRoman_12020.exesafert44.exetag.exenamdoitntn.exeHappyRoot.exe

description	pid	process
Token: SeDebugPrivilege	1152	MicrosoftEdge.exe
Token: SeDebugPrivilege	1152	MicrosoftEdge.exe
Token: SeDebugPrivilege	1152	MicrosoftEdge.exe
Token: SeDebugPrivilege	1152	MicrosoftEdge.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	6032	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	6032	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2160	Roman_12020.exe
Token: SeDebugPrivilege	3768	safert44.exe
Token: SeDebugPrivilege	4156	tag.exe
Token: SeDebugPrivilege	3268	namdoitntn.exe
Token: SeDebugPrivilege	4932	HappyRoot.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1152 MicrosoftEdge.exe
4952 MicrosoftEdgeCP.exe
4952 MicrosoftEdgeCP.exe

pid	process
1152	MicrosoftEdge.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2388 wrote to memory of 3268	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	namdoitntn.exe
PID 2388 wrote to memory of 3268	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	namdoitntn.exe
PID 2388 wrote to memory of 3268	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	namdoitntn.exe
PID 2388 wrote to memory of 784	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	real.exe
PID 2388 wrote to memory of 784	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	real.exe
PID 2388 wrote to memory of 784	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	real.exe
PID 2388 wrote to memory of 2160	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	Roman_12020.exe
PID 2388 wrote to memory of 2160	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	Roman_12020.exe
PID 2388 wrote to memory of 2160	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	Roman_12020.exe
PID 2388 wrote to memory of 3768	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	safert44.exe
PID 2388 wrote to memory of 3768	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	safert44.exe
PID 2388 wrote to memory of 3768	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	safert44.exe
PID 2388 wrote to memory of 4156	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	tag.exe
PID 2388 wrote to memory of 4156	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	tag.exe
PID 2388 wrote to memory of 4156	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	tag.exe
PID 2388 wrote to memory of 3792	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	kukurzka9000.exe
PID 2388 wrote to memory of 3792	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	kukurzka9000.exe
PID 2388 wrote to memory of 3792	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	kukurzka9000.exe
PID 2388 wrote to memory of 2720	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	F0geI.exe
PID 2388 wrote to memory of 2720	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	F0geI.exe
PID 2388 wrote to memory of 2720	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	F0geI.exe
PID 2388 wrote to memory of 3488	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	g3rgg.exe
PID 2388 wrote to memory of 3488	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	g3rgg.exe
PID 2388 wrote to memory of 3488	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	g3rgg.exe
PID 2388 wrote to memory of 4244	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	EU1.exe
PID 2388 wrote to memory of 4244	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	EU1.exe
PID 2388 wrote to memory of 4244	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	EU1.exe
PID 4952 wrote to memory of 5108	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5108	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5108	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5108	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3328	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3328	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3328	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3328	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2388 wrote to memory of 4932	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	HappyRoot.exe
PID 2388 wrote to memory of 4932	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	HappyRoot.exe
PID 2388 wrote to memory of 4932	2388	01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe	HappyRoot.exe
PID 4952 wrote to memory of 2840	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 2840	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 2840	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 2840	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3216	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3216	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3216	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 3216	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 8	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 8	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 8	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 8	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5396	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5396	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5396	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5396	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5476	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5476	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5476	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4952 wrote to memory of 5476	4952	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe
"C:\Users\Admin\AppData\Local\Temp\01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:784

C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
"C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3792

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:2720

C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
"C:\Program Files (x86)\Company\NewProduct\g3rgg.exe"
2⤵
- Executes dropped EXE
PID:3488

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:4244

C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
"C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:8

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3184

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0bd6adeab11e48ed9f65fabdbccecd43 /t 0 /p 3184
1⤵
PID:5748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
98ee616bbbdae32bd744f31d48e46c72

SHA1
fb2fe19e8890c7c4be116db78254fe3e1beb08a0

SHA256
5e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb

SHA512
fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
98ee616bbbdae32bd744f31d48e46c72

SHA1
fb2fe19e8890c7c4be116db78254fe3e1beb08a0

SHA256
5e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb

SHA512
fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
Filesize
107KB

MD5
0ad2faba47ab5f5933c240ece1ea7075

SHA1
6479bc7cedfc416856a700eda0d83bd5121b11f9

SHA256
81cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b

SHA512
72011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32

Download Submit
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
Filesize
107KB

MD5
0ad2faba47ab5f5933c240ece1ea7075

SHA1
6479bc7cedfc416856a700eda0d83bd5121b11f9

SHA256
81cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b

SHA512
72011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32

Download Submit
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
Filesize
107KB

MD5
ba055c9213817647673b72f9ea898de9

SHA1
e45a767b0fb77920d28198169f4e7d16809b9c9a

SHA256
d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

SHA512
6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

Download Submit
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
Filesize
107KB

MD5
ba055c9213817647673b72f9ea898de9

SHA1
e45a767b0fb77920d28198169f4e7d16809b9c9a

SHA256
d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

SHA512
6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

Download Submit
C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
Filesize
386KB

MD5
59be2ebcf6516dd07ee5df8eae402523

SHA1
e4e5b949a0c9721e4c89f124750d8a97e4d96c7e

SHA256
d2952be5c81f4135c0953b7b36677704f24f4d780de268ce6b67a44a6f15419a

SHA512
9148e9a303a3562f9552da8fa6cdd3c1d4034be31d20968a8dc51904c0d4cf167c0cdfa0d6ceac0ec0a24a975b8c04de9a1d4d67f0056dce810ad4e5b83215d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
Filesize
386KB

MD5
59be2ebcf6516dd07ee5df8eae402523

SHA1
e4e5b949a0c9721e4c89f124750d8a97e4d96c7e

SHA256
d2952be5c81f4135c0953b7b36677704f24f4d780de268ce6b67a44a6f15419a

SHA512
9148e9a303a3562f9552da8fa6cdd3c1d4034be31d20968a8dc51904c0d4cf167c0cdfa0d6ceac0ec0a24a975b8c04de9a1d4d67f0056dce810ad4e5b83215d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
84d016c5a9e810c2ef08767805a87589

SHA1
750b15c9c1acdfcd1396ecec11ab109706a945ad

SHA256
6e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845

SHA512
7c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
84d016c5a9e810c2ef08767805a87589

SHA1
750b15c9c1acdfcd1396ecec11ab109706a945ad

SHA256
6e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845

SHA512
7c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\A8T4S4G5.cookie
Filesize
256B

MD5
d2d862d2ba46e2ca33d6f6a8c777c607

SHA1
10bcd226cc04985f1e638700b1332ad1e53f1dff

SHA256
bf78378220c699b06920ee7f11c1f13d54838d709875ba4012b1d539531628e9

SHA512
89fd9d18ea678ad1bb92710b7994a2c5320a593241534574ed8f3674de8deb59957ca0bdd308b906d0b7df6e66d1b841e549394d60cc8c8cbf11d7b364ddc275

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\C9P15KOC.cookie
Filesize
340B

MD5
679e1cdfc4f8d96b26b1c98bd349ee55

SHA1
8388dd464b3afe997dc3e8124461fba4f1ecd08a

SHA256
bc9a113e9de9f6a7b7295c5036e43a19732da7dbc471b16b0b18870efa513f9e

SHA512
d96fd551abf30e59ee8d269d4f1eb77e45100d019619e8c899ed6e14633d153f63bb636dd3ac5ef051718fd556a3509a70cbe5da859405e8e8c833e0121b129f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\CXLC2358.cookie
Filesize
172B

MD5
ad6901b5523ec004d6e5751b95182638

SHA1
c3a8cf6e0fb0bb140a2a5fab61510a94f02062cf

SHA256
e216fcf83194c412f1ea66dea909956b6f6e412b83625cd72541312570917356

SHA512
ed68ba9a1213531280f189f05103aebcbda1b9fd3bffb848dff1f9c337ccfaa7e8c6c441d63fd056fe0a8c4d80f5f4a8d3cf478474c34a2c9f4db24f486a4029

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Z4L2R7BW.cookie
Filesize
424B

MD5
c78f351d81c56d4dcc513ff88c464b05

SHA1
62b7bc51dd622799f783d062d831b4f3c5e7213a

SHA256
eb3928bbfd901dc4984ecd793af96f953e0ab23e727fd8dc994211a11a44b902

SHA512
576c972669964f91266e035faadfb45fd01e92e70e2ae5488f953db8bc5b200570511f7b5b0f89f64dffef964c9b68fab9aa4eb880783a0fdce3f3be33201fa6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
1e2d9c7549c6a8806a9ffd63edccbc46

SHA1
b96d107ae8ca9675a31337e33f5a37fcdb09b6a2

SHA256
92bfee390efb25b68f961bf768fcd1aecf96010ba038230c6b4553a73fb423bd

SHA512
3d27bc5336444a74e2f840ef20a2bbf083d1c71a19063668d339e0573f31d46e460ce229fa63a7fa6a82f82668f47782b45fc995eaf8a55aa0fc4834c91a78ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
1e2d9c7549c6a8806a9ffd63edccbc46

SHA1
b96d107ae8ca9675a31337e33f5a37fcdb09b6a2

SHA256
92bfee390efb25b68f961bf768fcd1aecf96010ba038230c6b4553a73fb423bd

SHA512
3d27bc5336444a74e2f840ef20a2bbf083d1c71a19063668d339e0573f31d46e460ce229fa63a7fa6a82f82668f47782b45fc995eaf8a55aa0fc4834c91a78ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
82fcf679922cc7ede3e244dc2561c234

SHA1
3dd95194a3abf6aa62256cecad1e4346c08af5b6

SHA256
12b778592de0d932682f486a79934c565a193942549c4dc15f30e8d29d2cb491

SHA512
384555b2c99d3908445b155351e4757d25fcea247dab2b3ab05bddeb85641fdf0dc2511dafd0f4f001f4025a7452f2f9c349acf511c66fb62076fdc01d49568a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
e0c5723eaef8e9eb070e55319c8bb6bf

SHA1
e36d64fb0d398f6eee8162b96cfc4e5413b136c4

SHA256
30c9fe32ce1ee3a54bb2b7c7b7b6be80b37e1f61ea20e64e607918f61a677644

SHA512
89f82eaec8802697f12a42efe5cb9243d09a746fb41d53406e770448340f77bc52c7fbe6fdcf2e1228a9add7bacb9638794b1d44acdee4e47f883bd7045a2d63

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
e0c5723eaef8e9eb070e55319c8bb6bf

SHA1
e36d64fb0d398f6eee8162b96cfc4e5413b136c4

SHA256
30c9fe32ce1ee3a54bb2b7c7b7b6be80b37e1f61ea20e64e607918f61a677644

SHA512
89f82eaec8802697f12a42efe5cb9243d09a746fb41d53406e770448340f77bc52c7fbe6fdcf2e1228a9add7bacb9638794b1d44acdee4e47f883bd7045a2d63

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
e0c5723eaef8e9eb070e55319c8bb6bf

SHA1
e36d64fb0d398f6eee8162b96cfc4e5413b136c4

SHA256
30c9fe32ce1ee3a54bb2b7c7b7b6be80b37e1f61ea20e64e607918f61a677644

SHA512
89f82eaec8802697f12a42efe5cb9243d09a746fb41d53406e770448340f77bc52c7fbe6fdcf2e1228a9add7bacb9638794b1d44acdee4e47f883bd7045a2d63

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
562ddca1f86348e0e7ea9021c326a67c

SHA1
9b1aded1e820e7b09cfd2c4caa60c38879540264

SHA256
ae899493e6f679cfe4bff82780c8e7a660571e23cd7b6e065f872baa061b3431

SHA512
26e9caaf8c785c8b54bdac1d89d2a0939104a2bcb45e04ce56950739308c5a565ad0a9697fbd5a0af42499625bfb52dd3a07cf0c63592f7a3bf38487e1ab85b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/784-275-0x0000000000000000-mapping.dmp

Download
memory/2160-563-0x0000000000FE0000-0x0000000001000000-memory.dmp

Filesize
128KB

Download
memory/2160-704-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/2160-280-0x0000000000000000-mapping.dmp

Download
memory/2160-890-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/2388-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-166-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-118-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2388-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2720-876-0x0000000000972000-0x0000000000983000-memory.dmp

Filesize
68KB

Download
memory/2720-882-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2720-959-0x0000000000972000-0x0000000000983000-memory.dmp

Filesize
68KB

Download
memory/2720-325-0x0000000000000000-mapping.dmp

Download
memory/2720-843-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2720-965-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3268-538-0x0000000000900000-0x0000000000944000-memory.dmp

Filesize
272KB

Download
memory/3268-272-0x0000000000000000-mapping.dmp

Download
memory/3268-942-0x0000000006B70000-0x0000000006BD6000-memory.dmp

Filesize
408KB

Download
memory/3268-597-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/3268-920-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/3488-830-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/3488-1014-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3488-1005-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/3488-835-0x0000000002090000-0x00000000020E9000-memory.dmp

Filesize
356KB

Download
memory/3488-1094-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3488-839-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3488-334-0x0000000000000000-mapping.dmp

Download
memory/3768-568-0x0000000000FD0000-0x0000000001014000-memory.dmp

Filesize
272KB

Download
memory/3768-1008-0x00000000057F0000-0x0000000005840000-memory.dmp

Filesize
320KB

Download
memory/3768-615-0x0000000003160000-0x0000000003166000-memory.dmp

Filesize
24KB

Download
memory/3768-285-0x0000000000000000-mapping.dmp

Download
memory/3768-886-0x0000000006F70000-0x000000000746E000-memory.dmp

Filesize
5.0MB

Download
memory/3792-663-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/3792-1022-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3792-668-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3792-318-0x0000000000000000-mapping.dmp

Download
memory/3792-902-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4156-565-0x0000000000820000-0x0000000000840000-memory.dmp

Filesize
128KB

Download
memory/4156-880-0x00000000053E0000-0x0000000005456000-memory.dmp

Filesize
472KB

Download
memory/4156-290-0x0000000000000000-mapping.dmp

Download
memory/4156-693-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/4156-1009-0x0000000006B10000-0x0000000006CD2000-memory.dmp

Filesize
1.8MB

Download
memory/4156-1013-0x0000000007210000-0x000000000773C000-memory.dmp

Filesize
5.2MB

Download
memory/4156-692-0x0000000005590000-0x0000000005B96000-memory.dmp

Filesize
6.0MB

Download
memory/4156-737-0x0000000005110000-0x000000000515B000-memory.dmp

Filesize
300KB

Download
memory/4156-722-0x0000000005090000-0x00000000050CE000-memory.dmp

Filesize
248KB

Download
memory/4244-346-0x0000000000000000-mapping.dmp

Download
memory/4932-923-0x0000000000990000-0x00000000009B0000-memory.dmp

Filesize
128KB

Download
memory/4932-785-0x0000000000000000-mapping.dmp

Download