redline | 4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2022 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
Size

916KB
MD5

72bc725dcbf570567645b209fc685f79
SHA1

a6a2b06f126b3483908073a9bf7f0bd3b0a5885a
SHA256

4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d
SHA512

1208956e5c45022f775587dc6fb828472644d6f9fb6f85629861917a77f8df5029f0e579ed23bdea90b8334f2c708843ab838a0156e0ab695b4c28b71305e7d0

Score

10^/10

redline 5 5076357887 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral1/memory/4576-472-0x0000000000220000-0x0000000000240000-memory.dmp	family_redline
behavioral1/memory/3964-477-0x0000000000BD0000-0x0000000000C14000-memory.dmp	family_redline
behavioral1/memory/3312-474-0x0000000000570000-0x0000000000590000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exejshainx.exeWW1.exeMinecraftForge.exedllhost.exe

pid	process
1300	F0geI.exe
1216	kukurzka9000.exe
4576	namdoitntn.exe
1068	real.exe
3964	safert44.exe
3312	jshainx.exe
596	WW1.exe
5492	MinecraftForge.exe
5932	dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

Processes:

4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\WW1.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe

Drops file in Windows directory 7 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5044 schtasks.exe
5336 schtasks.exe
4196 schtasks.exe
3152 schtasks.exe

pid	process
5044	schtasks.exe
5336	schtasks.exe
4196	schtasks.exe
3152	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658B = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f4e32bb32cb1d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c44e00912cb1d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000fd52f97bcdd93cbf4741ae79a61696a0d5725a4051ca099ed27fb61e4e2b709de5c43375162487af9782624368bf09cd0b9fe4784ee4145422b8c0d7	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "367400631"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 03bc80556daed801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 71a3f5ac2cb1d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f55e32912cb1d801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

real.exejshainx.exesafert44.exeMinecraftForge.exenamdoitntn.exepowershell.exedllhost.exe

pid	process
1068	real.exe
1068	real.exe
3312	jshainx.exe
3312	jshainx.exe
3964	safert44.exe
3964	safert44.exe
5492	MinecraftForge.exe
5492	MinecraftForge.exe
4576	namdoitntn.exe
4576	namdoitntn.exe
6012	powershell.exe
6012	powershell.exe
6012	powershell.exe
6012	powershell.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe
5932	dllhost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe

pid	process
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exejshainx.exesafert44.exeMinecraftForge.exenamdoitntn.exepowershell.exedllhost.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4908	MicrosoftEdge.exe
Token: SeDebugPrivilege	4908	MicrosoftEdge.exe
Token: SeDebugPrivilege	4908	MicrosoftEdge.exe
Token: SeDebugPrivilege	4908	MicrosoftEdge.exe
Token: SeDebugPrivilege	712	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	712	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	712	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	712	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3312	jshainx.exe
Token: SeDebugPrivilege	3964	safert44.exe
Token: SeDebugPrivilege	5492	MinecraftForge.exe
Token: SeDebugPrivilege	4576	namdoitntn.exe
Token: SeDebugPrivilege	6012	powershell.exe
Token: SeDebugPrivilege	5932	dllhost.exe
Token: SeDebugPrivilege	6028	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	6028	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4908 MicrosoftEdge.exe
4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe

pid	process
4908	MicrosoftEdge.exe
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exeMicrosoftEdgeCP.exejshainx.exeMinecraftForge.execmd.exedllhost.exe

description	pid	process	target process
PID 2664 wrote to memory of 1300	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	F0geI.exe
PID 2664 wrote to memory of 1300	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	F0geI.exe
PID 2664 wrote to memory of 1300	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	F0geI.exe
PID 2664 wrote to memory of 1216	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	kukurzka9000.exe
PID 2664 wrote to memory of 1216	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	kukurzka9000.exe
PID 2664 wrote to memory of 1216	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	kukurzka9000.exe
PID 2664 wrote to memory of 4576	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	namdoitntn.exe
PID 2664 wrote to memory of 4576	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	namdoitntn.exe
PID 2664 wrote to memory of 4576	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	namdoitntn.exe
PID 2664 wrote to memory of 1068	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	real.exe
PID 2664 wrote to memory of 1068	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	real.exe
PID 2664 wrote to memory of 1068	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	real.exe
PID 2664 wrote to memory of 3964	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	safert44.exe
PID 2664 wrote to memory of 3964	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	safert44.exe
PID 2664 wrote to memory of 3964	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	safert44.exe
PID 2664 wrote to memory of 3312	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	jshainx.exe
PID 2664 wrote to memory of 3312	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	jshainx.exe
PID 2664 wrote to memory of 3312	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	jshainx.exe
PID 2664 wrote to memory of 596	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	WW1.exe
PID 2664 wrote to memory of 596	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	WW1.exe
PID 2664 wrote to memory of 596	2664	4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe	WW1.exe
PID 4224 wrote to memory of 712	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 712	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 712	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 712	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4316	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4316	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4316	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4316	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4204	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4204	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4204	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 4204	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 2864	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 2864	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 2864	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4224 wrote to memory of 2864	4224	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3312 wrote to memory of 5492	3312	jshainx.exe	MinecraftForge.exe
PID 3312 wrote to memory of 5492	3312	jshainx.exe	MinecraftForge.exe
PID 3312 wrote to memory of 5492	3312	jshainx.exe	MinecraftForge.exe
PID 5492 wrote to memory of 5908	5492	MinecraftForge.exe	cmd.exe
PID 5492 wrote to memory of 5908	5492	MinecraftForge.exe	cmd.exe
PID 5492 wrote to memory of 5908	5492	MinecraftForge.exe	cmd.exe
PID 5908 wrote to memory of 5964	5908	cmd.exe	chcp.com
PID 5908 wrote to memory of 5964	5908	cmd.exe	chcp.com
PID 5908 wrote to memory of 5964	5908	cmd.exe	chcp.com
PID 5908 wrote to memory of 6012	5908	cmd.exe	powershell.exe
PID 5908 wrote to memory of 6012	5908	cmd.exe	powershell.exe
PID 5908 wrote to memory of 6012	5908	cmd.exe	powershell.exe
PID 5492 wrote to memory of 5932	5492	MinecraftForge.exe	dllhost.exe
PID 5492 wrote to memory of 5932	5492	MinecraftForge.exe	dllhost.exe
PID 5492 wrote to memory of 5932	5492	MinecraftForge.exe	dllhost.exe
PID 5932 wrote to memory of 2372	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 2372	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 2372	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5584	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5584	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5584	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5332	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5332	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5332	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5476	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5476	5932	dllhost.exe	cmd.exe
PID 5932 wrote to memory of 5476	5932	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe
"C:\Users\Admin\AppData\Local\Temp\4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:1300

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Program Files (x86)\Company\NewProduct\WW1.exe
"C:\Program Files (x86)\Company\NewProduct\WW1.exe"
2⤵
- Executes dropped EXE
PID:596

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:5908

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:5964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5584

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5332

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5476

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5612

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5752

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3665" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7324" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7650" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4220

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7650" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4473" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:4240

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:5396

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\WW1.exe
Filesize
274KB

MD5
a62d25b9a70fe5e4be932036814e6832

SHA1
e1571597ff7648d6c7e8eb013d04d00b129343c7

SHA256
904b8d3d5fe952b833e0815e1b90ac21f86ff16749be122e7632824348d29f62

SHA512
0a6a97b2cd9a60393eef4006d78b676cf199244ef4369321b6d0de145b3e067393dde68ec5550215cd77f5ae0553ffaacf24f862fddefbc87f78ca86c82235e6

Download Submit
C:\Program Files (x86)\Company\NewProduct\WW1.exe
Filesize
274KB

MD5
a62d25b9a70fe5e4be932036814e6832

SHA1
e1571597ff7648d6c7e8eb013d04d00b129343c7

SHA256
904b8d3d5fe952b833e0815e1b90ac21f86ff16749be122e7632824348d29f62

SHA512
0a6a97b2cd9a60393eef4006d78b676cf199244ef4369321b6d0de145b3e067393dde68ec5550215cd77f5ae0553ffaacf24f862fddefbc87f78ca86c82235e6

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
669KB

MD5
b5942a0be0b72e121dadb762044f38cc

SHA1
885909607a9747c11eac6cc47b775ad947980c5e

SHA256
c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1

SHA512
d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
669KB

MD5
b5942a0be0b72e121dadb762044f38cc

SHA1
885909607a9747c11eac6cc47b775ad947980c5e

SHA256
c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1

SHA512
d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
0cdf43198d2721395850bbe27d83391f

SHA1
4d80abbc82b8ab42e0e798e61e2778445d2c2a1c

SHA256
9b8144e93a03858de025bd01b0bb5d6c757da4ec91343a5a2a8e3832606cea01

SHA512
7f7f393034d73c275adf92d61271e51c7156e8d5df19f76653ed1abebf44b2b40e48369daf5f9729bbd585b5f3c70f1abfdec31c777be134ef8c6cbf4c812907

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\17AHC5NS.cookie
Filesize
170B

MD5
238ceea5c697c03c2fd219a1ff31fba9

SHA1
da8b70bce9f524133b9812c2fc8dbfecd3c75787

SHA256
70d761e77fbfb5a099abd74189a09cff33c6ad6ee4586270e41a94c7baf32e5c

SHA512
9863a41d52ea4d58153046060312f7a9bd81c01e4425ed387f31ebedd0af163bd01c8cb767dbad67a812adbcce7bf4e07631469617bbdbb5fa5ffec2bfb5d94d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\B65YS2LM.cookie
Filesize
253B

MD5
e702081f42e09ee8311cc9315dea97b2

SHA1
b9212bb40777c993dbb84e1486058673b863b61e

SHA256
1b6fb9c04b17008505e01528ea6bf58883ab38ca983be6565e99ddc61da40ee8

SHA512
988042be36b6f96ac020d1e7deb142cfefad9607dc4b06829d765fe92798423d61baf7128915180cafca43405c0ef5640828f544c690110b5e1e25022d6613de

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\I42AXSK3.cookie
Filesize
336B

MD5
5d60d62dec7a5cf6d74283c208a2ebcf

SHA1
91aff47875296e5ad7c2097aa46011091a8b9a74

SHA256
bcb4ec08b8e1bbbe21ea4fc1dc6ca92ddc080ba362d60b8d8739e3933e0f6c8f

SHA512
e76383a036b2472b5777e561b83e1fcbf14ee72d1d611275ea05860cf8752cabf9b826316ed389df172ee6880b70545d3df8111add5c18fc1e1fd69151ba2187

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\I764SJM1.cookie
Filesize
419B

MD5
e2e2d3a67225dacb780a8637fa2207e5

SHA1
feac133398abd609aaa083a5d89acba83ce22a0c

SHA256
20c3fd1591dd30e9e1970196b12314541aa74d5848871c2532734682204d1398

SHA512
85862886c9791b4e3616def9a8aa9a8e9648c60fd7b2763da8a0731da4c9be4123c6b8c291e06e6508398dec2e3879fe38bbe2490a19a9a8dbcf7df331f67871

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
6d81bb4c4a306f21536d881e2dd9529e

SHA1
24a7a420544e1105e00a005af52ade224a533655

SHA256
028957a175b2b03789bbe2d3b1fe7d71128bacb116ac77c7c2f08bd9b6297966

SHA512
9498cb6711cfd0d04ed339ed2a5f4b7eae3b28cb966d5bb8faed5853ce69a49c97a54c9fdf8e5944ba5191e4b3b2fea12a1d824dc143cc708bd284822604993e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
6d81bb4c4a306f21536d881e2dd9529e

SHA1
24a7a420544e1105e00a005af52ade224a533655

SHA256
028957a175b2b03789bbe2d3b1fe7d71128bacb116ac77c7c2f08bd9b6297966

SHA512
9498cb6711cfd0d04ed339ed2a5f4b7eae3b28cb966d5bb8faed5853ce69a49c97a54c9fdf8e5944ba5191e4b3b2fea12a1d824dc143cc708bd284822604993e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
6d81bb4c4a306f21536d881e2dd9529e

SHA1
24a7a420544e1105e00a005af52ade224a533655

SHA256
028957a175b2b03789bbe2d3b1fe7d71128bacb116ac77c7c2f08bd9b6297966

SHA512
9498cb6711cfd0d04ed339ed2a5f4b7eae3b28cb966d5bb8faed5853ce69a49c97a54c9fdf8e5944ba5191e4b3b2fea12a1d824dc143cc708bd284822604993e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
d7b2a9e205cc1228f29073f64aef4ba0

SHA1
5d297c4a7378090dc95b8b924f1a867e75f97783

SHA256
debb350a95546127842d91728c72ab14da1a59a5e2a3fabcb256f94f13d4addb

SHA512
17c6c69dfbf3ea4cb536d2a19912be765c478f76b228449bca46c163d860ffc5e606e30bab56dfd724aca673cad65dca565150d2655f3d717c1d904ebdf05e04

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
d7b2a9e205cc1228f29073f64aef4ba0

SHA1
5d297c4a7378090dc95b8b924f1a867e75f97783

SHA256
debb350a95546127842d91728c72ab14da1a59a5e2a3fabcb256f94f13d4addb

SHA512
17c6c69dfbf3ea4cb536d2a19912be765c478f76b228449bca46c163d860ffc5e606e30bab56dfd724aca673cad65dca565150d2655f3d717c1d904ebdf05e04

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
d7b2a9e205cc1228f29073f64aef4ba0

SHA1
5d297c4a7378090dc95b8b924f1a867e75f97783

SHA256
debb350a95546127842d91728c72ab14da1a59a5e2a3fabcb256f94f13d4addb

SHA512
17c6c69dfbf3ea4cb536d2a19912be765c478f76b228449bca46c163d860ffc5e606e30bab56dfd724aca673cad65dca565150d2655f3d717c1d904ebdf05e04

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
memory/596-301-0x0000000000000000-mapping.dmp

Download
memory/1068-267-0x0000000000000000-mapping.dmp

Download
memory/1216-658-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/1216-659-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1216-259-0x0000000000000000-mapping.dmp

Download
memory/1300-491-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1300-255-0x0000000000000000-mapping.dmp

Download
memory/1300-962-0x000000000084A000-0x000000000085B000-memory.dmp

Filesize
68KB

Download
memory/1300-748-0x000000000084A000-0x000000000085B000-memory.dmp

Filesize
68KB

Download
memory/1300-749-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1300-485-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1300-479-0x000000000084A000-0x000000000085B000-memory.dmp

Filesize
68KB

Download
memory/2372-1261-0x0000000000000000-mapping.dmp

Download
memory/2664-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-176-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-116-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-153-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-151-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-115-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3152-1361-0x0000000000000000-mapping.dmp

Download
memory/3312-584-0x0000000004E50000-0x0000000004E9B000-memory.dmp

Filesize
300KB

Download
memory/3312-576-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3312-564-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/3312-742-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/3312-561-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3312-560-0x0000000005300000-0x0000000005906000-memory.dmp

Filesize
6.0MB

Download
memory/3312-474-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/3312-281-0x0000000000000000-mapping.dmp

Download
memory/3312-780-0x00000000067C0000-0x0000000006810000-memory.dmp

Filesize
320KB

Download
memory/3312-770-0x0000000006940000-0x0000000006B02000-memory.dmp

Filesize
1.8MB

Download
memory/3312-771-0x0000000007040000-0x000000000756C000-memory.dmp

Filesize
5.2MB

Download
memory/3964-477-0x0000000000BD0000-0x0000000000C14000-memory.dmp

Filesize
272KB

Download
memory/3964-758-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/3964-753-0x00000000061A0000-0x0000000006232000-memory.dmp

Filesize
584KB

Download
memory/3964-274-0x0000000000000000-mapping.dmp

Download
memory/3964-514-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3964-744-0x0000000006BB0000-0x00000000070AE000-memory.dmp

Filesize
5.0MB

Download
memory/3964-746-0x0000000005930000-0x00000000059A6000-memory.dmp

Filesize
472KB

Download
memory/4196-1382-0x0000000000000000-mapping.dmp

Download
memory/4220-1310-0x0000000000000000-mapping.dmp

Download
memory/4240-1514-0x0000000000000000-mapping.dmp

Download
memory/4576-472-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/4576-264-0x0000000000000000-mapping.dmp

Download
memory/4812-1317-0x0000000000000000-mapping.dmp

Download
memory/4876-1450-0x0000000000000000-mapping.dmp

Download
memory/5044-1362-0x0000000000000000-mapping.dmp

Download
memory/5116-1287-0x0000000000000000-mapping.dmp

Download
memory/5320-1520-0x0000000000000000-mapping.dmp

Download
memory/5332-1266-0x0000000000000000-mapping.dmp

Download
memory/5336-1370-0x0000000000000000-mapping.dmp

Download
memory/5396-1527-0x0000000000000000-mapping.dmp

Download
memory/5476-1270-0x0000000000000000-mapping.dmp

Download
memory/5492-871-0x00000000023A0000-0x00000000023A6000-memory.dmp

Filesize
24KB

Download
memory/5492-864-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/5492-824-0x0000000000000000-mapping.dmp

Download
memory/5492-888-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/5584-1263-0x0000000000000000-mapping.dmp

Download
memory/5612-1276-0x0000000000000000-mapping.dmp

Download
memory/5640-1281-0x0000000000000000-mapping.dmp

Download
memory/5748-1533-0x0000000000000000-mapping.dmp

Download
memory/5752-1293-0x0000000000000000-mapping.dmp

Download
memory/5784-1299-0x0000000000000000-mapping.dmp

Download
memory/5844-1304-0x0000000000000000-mapping.dmp

Download
memory/5908-903-0x0000000000000000-mapping.dmp

Download
memory/5932-1204-0x0000000000060000-0x0000000000154000-memory.dmp

Filesize
976KB

Download
memory/5932-1218-0x0000000004890000-0x0000000004896000-memory.dmp

Filesize
24KB

Download
memory/5932-1130-0x0000000000000000-mapping.dmp

Download
memory/5964-909-0x0000000000000000-mapping.dmp

Download
memory/6012-991-0x00000000075A0000-0x00000000078F0000-memory.dmp

Filesize
3.3MB

Download
memory/6012-1424-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/6012-1028-0x0000000008CA0000-0x0000000008CD3000-memory.dmp

Filesize
204KB

Download
memory/6012-1006-0x0000000007CD0000-0x0000000007D1B000-memory.dmp

Filesize
300KB

Download
memory/6012-1004-0x0000000006F30000-0x0000000006F4C000-memory.dmp

Filesize
112KB

Download
memory/6012-1038-0x0000000008CE0000-0x0000000008D85000-memory.dmp

Filesize
660KB

Download
memory/6012-987-0x0000000006C50000-0x0000000006CB6000-memory.dmp

Filesize
408KB

Download
memory/6012-1029-0x0000000008C80000-0x0000000008C9E000-memory.dmp

Filesize
120KB

Download
memory/6012-1433-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/6012-984-0x0000000006B50000-0x0000000006B72000-memory.dmp

Filesize
136KB

Download
memory/6012-963-0x0000000006F70000-0x0000000007598000-memory.dmp

Filesize
6.2MB

Download
memory/6012-957-0x0000000000770000-0x00000000007A6000-memory.dmp

Filesize
216KB

Download
memory/6012-917-0x0000000000000000-mapping.dmp

Download
memory/6012-1042-0x0000000008FF0000-0x0000000009084000-memory.dmp

Filesize
592KB

Download