dcrat | 440d5de6aaa2ccd09e773a6092ebcf51025e7684025115f587552fe492eb5108

Analysis

max time kernel
95s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

538b71221fc868d804dad1b3019cf73e.exe
Size

210KB
MD5

538b71221fc868d804dad1b3019cf73e
SHA1

aacd8fa3f58ade7d9bf281ca171e56c35a2ddaef
SHA256

440d5de6aaa2ccd09e773a6092ebcf51025e7684025115f587552fe492eb5108
SHA512

5ee98f2bb1bed67c0ca3dd3fc6e16474a8ed86d7c70dc9930ae9f3bfee26e424e1e760356a877fbc0933414bfd554c71fedbbe2591178f3f23a3b529625dd9ed
SSDEEP

3072:RVpWFLFxLBHPEsWJ8/nPsdnv/zsln7dHyuDM16yBf6J3z16RtMmfX:R8LrLBHtWiPPsVv/zQ7dHyuDUBffM

Score

10^/10

dcrat djvu lumma redline smokeloader uniq2 up3 backdoor discovery infostealer persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

uniq2

195.20.16.190:38173

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		538b71221fc868d804dad1b3019cf73e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ff0a3320-c736-49f3-b8f8-33a892bc0cb1\\79A2.exe\" --AutoStart"		79A2.exe
		6560	schtasks.exe
		6624	schtasks.exe

Detect Lumma Stealer payload V4 3 IoCs

resource	yara_rule
behavioral2/memory/6804-1006-0x0000000000940000-0x00000000009BC000-memory.dmp	family_lumma_v4
behavioral2/memory/6804-1007-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/6804-1022-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/3860-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3860-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1176-31-0x0000000002600000-0x000000000271B000-memory.dmp	family_djvu
behavioral2/memory/3860-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3860-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3860-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/368-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/368-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/368-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2692-360-0x0000000000740000-0x0000000000792000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	79A2.exe

Deletes itself 1 IoCs

pid	Process
3496	Process not Found

Executes dropped EXE 7 IoCs

pid	Process
1176	79A2.exe
3860	79A2.exe
1520	79A2.exe
368	79A2.exe
4016	A641.exe
4888	B630.exe
4824	AA6lH15.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1840	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ff0a3320-c736-49f3-b8f8-33a892bc0cb1\\79A2.exe\" --AutoStart"	79A2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	B630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AA6lH15.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	api.2ip.ua
67	api.2ip.ua

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023238-83.dat	autoit_exe
behavioral2/files/0x0007000000023238-82.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 1176 set thread context of 3860	1176	79A2.exe	111
PID 1520 set thread context of 368	1520	79A2.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
940	4948	WerFault.exe	90
4024	368	WerFault.exe	115
4736	5716	WerFault.exe	158
1844	6804	WerFault.exe	191

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	538b71221fc868d804dad1b3019cf73e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	538b71221fc868d804dad1b3019cf73e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	538b71221fc868d804dad1b3019cf73e.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6560	schtasks.exe
6624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	538b71221fc868d804dad1b3019cf73e.exe
4948	538b71221fc868d804dad1b3019cf73e.exe
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4948	538b71221fc868d804dad1b3019cf73e.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found
Token: SeShutdownPrivilege	3496	Process not Found
Token: SeCreatePagefilePrivilege	3496	Process not Found

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 4680 wrote to memory of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 4680 wrote to memory of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 4680 wrote to memory of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 4680 wrote to memory of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 4680 wrote to memory of 4948	4680	538b71221fc868d804dad1b3019cf73e.exe	90
PID 3496 wrote to memory of 4076	3496	Process not Found	101
PID 3496 wrote to memory of 4076	3496	Process not Found	101
PID 4076 wrote to memory of 3144	4076	cmd.exe	103
PID 4076 wrote to memory of 3144	4076	cmd.exe	103
PID 3496 wrote to memory of 3196	3496	Process not Found	104
PID 3496 wrote to memory of 3196	3496	Process not Found	104
PID 3196 wrote to memory of 2000	3196	cmd.exe	106
PID 3196 wrote to memory of 2000	3196	cmd.exe	106
PID 3496 wrote to memory of 1176	3496	Process not Found	110
PID 3496 wrote to memory of 1176	3496	Process not Found	110
PID 3496 wrote to memory of 1176	3496	Process not Found	110
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 1176 wrote to memory of 3860	1176	79A2.exe	111
PID 3860 wrote to memory of 1840	3860	79A2.exe	112
PID 3860 wrote to memory of 1840	3860	79A2.exe	112
PID 3860 wrote to memory of 1840	3860	79A2.exe	112
PID 3860 wrote to memory of 1520	3860	79A2.exe	114
PID 3860 wrote to memory of 1520	3860	79A2.exe	114
PID 3860 wrote to memory of 1520	3860	79A2.exe	114
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 1520 wrote to memory of 368	1520	79A2.exe	115
PID 3496 wrote to memory of 4016	3496	Process not Found	118
PID 3496 wrote to memory of 4016	3496	Process not Found	118
PID 3496 wrote to memory of 4888	3496	Process not Found	119
PID 3496 wrote to memory of 4888	3496	Process not Found	119
PID 3496 wrote to memory of 4888	3496	Process not Found	119
PID 4888 wrote to memory of 4824	4888	B630.exe	122
PID 4888 wrote to memory of 4824	4888	B630.exe	122
PID 4888 wrote to memory of 4824	4888	B630.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe
"C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe
  "C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 328
    3⤵
    - Program crash
    PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4948 -ip 4948
1⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A8A.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C31.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2000

C:\Users\Admin\AppData\Local\Temp\79A2.exe
C:\Users\Admin\AppData\Local\Temp\79A2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\79A2.exe
  C:\Users\Admin\AppData\Local\Temp\79A2.exe
  2⤵
  - DcRat
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\ff0a3320-c736-49f3-b8f8-33a892bc0cb1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\79A2.exe
    "C:\Users\Admin\AppData\Local\Temp\79A2.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\79A2.exe
      "C:\Users\Admin\AppData\Local\Temp\79A2.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 568
        5⤵
        Program crash
        
        PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 368 -ip 368
1⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\A641.exe
C:\Users\Admin\AppData\Local\Temp\A641.exe
1⤵
- Executes dropped EXE
PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:2692

C:\Users\Admin\AppData\Local\Temp\B630.exe
C:\Users\Admin\AppData\Local\Temp\B630.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AA6lH15.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AA6lH15.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Fy1Ru0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Fy1Ru0.exe
    3⤵
    PID:6804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 876
      4⤵
      Program crash
      PID:1844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wl3KC89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wl3KC89.exe
  2⤵
  PID:5296

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1SU05be3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1SU05be3.exe
1⤵
PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:1136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
    3⤵
    PID:5264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
    3⤵
    PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
    3⤵
    PID:5808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
    3⤵
    PID:6240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
    3⤵
    PID:6228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
    3⤵
    PID:6004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:3552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:2932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5488 /prefetch:8
    3⤵
    PID:844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3276 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8708 /prefetch:8
    3⤵
    PID:5980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
    3⤵
    PID:5740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8744 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8708 /prefetch:8
    3⤵
    PID:6128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
    3⤵
    PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
    3⤵
    PID:6604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
    3⤵
    PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8756 /prefetch:8
    3⤵
    PID:6856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11863131565434095329,11433125635769514070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
    3⤵
    PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,6791075606941561063,1821949690984701697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1792,6791075606941561063,1821949690984701697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
  2⤵
  PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16491041936262779559,12818424869792739622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
    3⤵
    PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
  2⤵
  PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
    3⤵
    PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5215790403874237237,12212079444146365936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
  2⤵
  PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
    3⤵
    PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
  2⤵
  PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
    3⤵
    PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
  2⤵
  PID:5276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
    3⤵
    PID:5792

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ia8zk16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ia8zk16.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Cg290GQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Cg290GQ.exe
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:6512
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:6560
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:6584
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:6624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 3100
    3⤵
    - Program crash
    PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
1⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
1⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\BA86.exe
C:\Users\Admin\AppData\Local\Temp\BA86.exe
1⤵
PID:4700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffbaefe46f8,0x7ffbaefe4708,0x7ffbaefe4718
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5716 -ip 5716
1⤵
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6804 -ip 6804
1⤵
PID:6988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d4fa6d2a84fa78d11b875ea5cd30eba8

SHA1
992b2a18b5dce24b924086e93cd37a4463256c56

SHA256
4f5e1f270a70f3ad6f5de2661bb2577b8706b9a7f3c62e1eb73c38b29dadcc48

SHA512
a54f8208e37833c4ad89f751071a8912199198c8ce0aeec5cef9eadf11f2be24c6f436b8b0c13eb00080cea574c139e818b69026e72e9fc29719b85b04eac8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6be52ce03b6db4b01754a35ddeafec56

SHA1
f9e6bf2bbc4911e987cbc05e4774eb4c7c217f2d

SHA256
764c55913d1e1440106d1ec3934daa3307cae42833a3e7b2e1f8ad82e2e2f6af

SHA512
9411476133d439e67ceb2502aa35ec6fb2c4c1af2802634fddd0eb54d607aae39c41a4fcd41d2b820d3471609061472689fbd6c90c7577460c9801636c6fd7a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
7ec7acc0360bce2ec3f23ccf39afa9c8

SHA1
cb527ce0927f26433545bf7d9765cc897c5d51c6

SHA256
7d8541b8d12867f930affeaf14eaff7d7193237e02c50ff7d7ba814342cbde34

SHA512
cb93492e0c7bf87aedd82046b8116bdf432438bc13802bad4c7f6243c97b7313630b25ab10a06818a1cf6d3c0073071ec6be232da26ee8aa7c91aee3b2e0472a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7d76fdb0-cfe1-4a04-8c42-a9947c4d004e.tmp

Filesize
2KB

MD5
0966eeb239e13c0e8956acd4e420309d

SHA1
91c43a2f62776f9ff2dee0e4292f2deb62a6381b

SHA256
a0034fcd1abb4a78f00e079d717b78310189eb9b25eb49d37774e7e8b60bc4e1

SHA512
76662298a2040addf875eb10a52178efb39fc3270c14ab2e933775e083ea739ecdf2faa72992fe667e122fe53f61c96fbf37ca4cd5f314100533380e108eedb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba867085de8c7cd19b321ab0a8349507

SHA1
e5a0ddcab782c559c39d58f41bf5ad3db3f01118

SHA256
2adaff5e81f0a4a7420d345b06a304aafa84d1afd6bda7aeb6adb95ee07f4e8c

SHA512
b1c02b6e57341143d22336988a15787b7f7590423913fcbc3085c8ae8eb2f673390b0b8e1163878367c8d8d2ee0e7ca8ed1d5a6573f887986f591fcababc2cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
35KB

MD5
25e8733bb8db69a637ce1e64235e5be7

SHA1
0d9cbefb96a6f1ddfa172ae495930d432062f0fd

SHA256
7a3345dc0f69619a8f44f0e5cbbb2e9dc8b68a63a6fc025395974cb7c421f612

SHA512
b12bfea40890da0fe688c332c19231d715ecf4255aa01eec4743ab61daa1c6b46c00e5aaf1ca9a2e7bfa13ac7d4cf38f760d780664b8ee1a4f2244822187aecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7367a0bcc80456274d6c2d59d85d5e84

SHA1
467674ba41da631472f5e4319355bdc151c4bc5c

SHA256
c567de25ea2d41c7cbddd04f3fdd7ba5d35200661bd9b3de6711bab172fbcbe7

SHA512
e2305fb7779a1ba233bfcc35efcdc06b29a3f06f67c4f6bb157fd5422e75d0b3a0feb9d9bfe21b2ec46fe308f91b34f96ae075ded27a48387c1f3d1602ff36b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_twitter.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_twitter.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
393B

MD5
fa567e1fe6bfc4e06730bc4252f62e2f

SHA1
7b66074a352ba35975e63b7133cb4efa7a9f70ec

SHA256
f92b029c9eb3ce908a04a849dca64905453726eb6bd17e98b43b844c744afa08

SHA512
3e8517ad903b28175761d31bc89f4b8ee21368b33fde3edd564bb6f3285e75c7b1175c0ba4a2b5c099fa8ffd5a729bf8c4ebd908f9fceba2ec47a0f59d39db2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
396B

MD5
05e995dc8d8079b1484bc4de557d6a5a

SHA1
8ac699a2d0de297e352ff560a07934e8414271d4

SHA256
f619dc9c91ccdbf9f8c07ef2318619a84e5d3ddff543ea02acd3ff919ce04428

SHA512
23c49cce461e9898880b6009c37d20b81102a8c1826896b12f8d669f865d475f9f3cab8a70791ae3fafe5c0f02afb99492bf3b2af2578c0414c72bc45a67218a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
396B

MD5
beb1ce1c3210e291da8f88e0c30d6f58

SHA1
97f504b43304945538aba12222012ec6b3cbb44b

SHA256
8f3b009629b365a66caab5745b49c16b2a6c5086e2d498d9d11fc2651fdfd654

SHA512
25fad434643b8efbbb24ce9e7161ad6d32afb96fc793bfb5652e0a599fc598b89a4d018404866089eddbb239ab2168ae726ba8b099d5c0e5e7f2314490c84e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
396B

MD5
d166962703fdff37ec27fd62d7a538f0

SHA1
b5ab12383e117bead9e37d68802be0894699791c

SHA256
04ddd6c9561af23142038d2e106265b4d7e57832c268e7bab1291433b331778a

SHA512
d603f320b56f53edcca071e7b2998f744f966df3c8d89a1e6d3079f19b0b30ff87f117d2fd6eca7d6d3a670ccf1c2a669626930c0ac5c294e59cd5b8b3f0c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
396B

MD5
1f9ad76af16711878e652712cacf9ccf

SHA1
b8f860104edbf22cb7e3e1280719943742ce5bdd

SHA256
951561efbc407e114e21976dd47b91971e249c8a6409160ffb76de18229ad384

SHA512
1d6211c4b815abdce4f7891ceaf63f603ae376e6a685705cbc6f46c1b64c2c9dae0b5cb92b4b24a7fc5f3b257557d17e1936ff96a753e1f50919f4d943776111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
396B

MD5
745bb03d7e0349299a653610e010c35a

SHA1
37bb8052fb766a9b7c4b56c021673780b60d7130

SHA256
2f4146d60756bdaa37bef4e3dcd78b29f553523fa116378e2d4e283da681d239

SHA512
09e6458e1287e90aac6b759fedc4a44de8333dd027323596d80adb653cc911df31bca7ce9dac1b389d1eeb83e56ca1dbbd6ad8dd6547de08e9090be711c81a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
396B

MD5
c94f4f8510c94341e0b9be937dd1c403

SHA1
6a30447f3d5c7b3b8a7393567eb5f4f8c89de34a

SHA256
8c1b21a98e642d166919b0a2ffb5c6329c6f2ef236ea77643c837767c1ad32ac

SHA512
27cfc5874f871f5077274dbaf5fab5b95b60f400902a82d5b5671f5b3f4e8f4e06270c9f2f81200f67c7fdd2ae5c163c3eeaa394124a6ec6c068cd1f0874963b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
393B

MD5
6ff13ef238ba4c53dd6882924fe7cdc4

SHA1
da4014eecea068a97f058fcace7590dc31a5b49f

SHA256
f2d39ff05e8dcfcfb12ad47ef98eeb583de0fc3b147a68f9fa2c9a293d779aeb

SHA512
2ab0fedfdccd3ad0f578076a499b59bdf7773fb8aa8a03db76dc9003db6896a43077d72fcd04ab2b641acb38136fe30232bffb908280f428ce54c2c202ed0c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old~RFe58f48c.TMP

Filesize
355B

MD5
6cdca345ca2d6e8130d9305bef2265d2

SHA1
cc59e6e785430aa08b8d483b681673052f9ffd84

SHA256
cf6e9324a665426b89c899d363a702b9e9d807d1434030bf60d6d28502df44d8

SHA512
9f51a2fe1dfd9b4a3f399ad193ad2ccccb896dc278ea412cfdfabcb01cf956cc9a0d15878b155191e256387d0f7ee6a43efb89c804e54213f441ce96a682e489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb5945dc80b9c399d7caafc193c21f5b

SHA1
4eef3869103b4c733492a8592f0cf231e2fbfa18

SHA256
62f21d2f18ab863cd00d2397433440fda1d581a8ee965f20e37f673a9631704a

SHA512
8124918b46d3b56baf35159989aeec9c7ae2f3c30d479d81d831303a5a04e7869da736ae13b8a25644013634dc944514b2ac3142afd3dec1657017621c5fe83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a4750e99e16a5b6c56b5b7c3155f41ef

SHA1
037c70541475830add4563649b60aa39e3a0eb41

SHA256
9e54956a125a91be7589a41ca4ca30e38735f788fa625474afaa12a91ec8f469

SHA512
f654b1c96f4955397ae34e4b81d911ce16d2a7ac3e18dc5b0319ff4f12a1b15b6a800a7577ee4619d14311f70d6f53ca7cda071c1af4cbc483fcd5a9514542ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
034849119cf6de0dae203a62debb120e

SHA1
e783c5cf97d91c63de7bfa0a1e631b15233b7382

SHA256
341332524d104501be7698f2ff779f2efb554ff012dad80b5a804259ad853010

SHA512
b2d9499865d7abb3af7f9ba8cc645fa724003bdaf5d5ea96d59dbce86953bde03997a991dae92095bc7f3742431541a1e59458021464b22e2ba4e749909c284b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b0ba6f0eee8f998b4d78bc4934f5fd17

SHA1
589653d624de363d3e8869c169441b143c1f39ad

SHA256
4b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f

SHA512
e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
79957cac080f17e1e38881c64edef086

SHA1
6f39a12ee9ef012bf35905b7cf42db0a315eefe6

SHA256
d06414cc548c71b756128d968afa186c23bc17a04f5dd84fc0b832cfd7e2c708

SHA512
049eb59dbd983b30fc18935d2cf51192b127d192e282bf7c88161160a6377912e9185f13829b4121c6bf4b795ee14dc5cb1e96e77e3e88e220a77a3b666af24d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
f53d6d57d8d53e235f4b21cfa7676603

SHA1
7f3e0f692e2c36a7d8974eef4acd9b34ad03ebf8

SHA256
bae4b9b9d700b738111454f45e7b08318e9e14bd2d8620335c726a4fdeeed6dc

SHA512
9c81b6a52122fa7379448fd29574fcb610ae326e5ee4a55fe08dee6c55146e2e1c05b921cf7de27bb28919b1916d55e7b0e5c04edf0bd18a750b0336085f7a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
4735789d59ed9d094446de1867fb6e8a

SHA1
ad754bf6c59af2eaebf4c93180fa138d12c66e35

SHA256
73d83b9482cfe342ea15e286a774a1f4b1ea75c5cfa111200385ee0cfdef5297

SHA512
ba3909674a11469495653ffef618f2955b2e934e02d72120e1770044a0b56f8232c3b1859378a9b89c362651d1487c22251ef021db511ceb8d9ccf34a71cbd4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
83B

MD5
e415b4fdc049e4bfcc2ab6029061f864

SHA1
eb3971ae266eb49c8d49373562003f91f88a2a0f

SHA256
e401392e226e83107e8ce55e8f06a7fcf1b067ad60cee8343ef78f46508ea466

SHA512
7ee17ac2770bb9a0874179c854f57a4191afd4738f55eb813afcca4bb77b6fc6d12d598ef9266d67e90f04b95244124a5f4b1a2d8609aebec2dcce88166b7b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
297932c91b4343219532fd8e68050e7a

SHA1
e372900961ac81f7d921fa99c234113e8c9fb65a

SHA256
ba369a29e011fff05d1abd3f297b46b87e14a262eee03a580c49a621d5591b5b

SHA512
cc10dc788ce9ebeeaa138c82ac312255b618685418faa43b2e56d2c85fc681b80fc226f904d958b477933fc05016779ba8b36a1a73700f8f0ea3f20c202a5966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe595819.TMP

Filesize
48B

MD5
9c1b136c9b4cffd8655a4f18efff9e07

SHA1
897ef9bf10384a14baa8e6c6993b8ab0d5d51910

SHA256
d290f21d1b31e412694a6309837e601769c82440f592d0df2e4d903e1f2d2721

SHA512
30cd6a9bbe6274b25a77f0721be918cebcecb020769fe6af7801b1f95792b1741d93082a2dfe1e83f2ab5a3b54aa80f390447421ac0ec28e63dd6ec84c55460b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
6d6fec92b3ddae0596a92bb70a4c4aa3

SHA1
ced5bcf732e45f6f69d1413a6033a5c31b1976e3

SHA256
3c5ab3b7ee8284df7e57900a8ac48c1bad444ab5de870399fd0d9c624c04ffc4

SHA512
4d5e1790058f49722d33f0ee04af8981cc7cf24c96b515be1ba3bc7b43ff5c41270e80bb70933e0229bd1ff6f0cf771322fcdb928ad9befe8918e3db16750862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c7c9bfe8713a653f3167884bd6e9e727

SHA1
4c1c076ea6adb58ed3a4ffdf40670d2690b8cd4f

SHA256
026e31cd045edcb7539891250158ef0827a789430341ced01333983c4e0fc898

SHA512
0b0e718a0cd9fbf12883d5e28b90ee27a80bec88d2f5be54b81271feab52f2dde6d74e0ca621120315b537c6d5a231f33c6148db969b947b2472496eda8c68b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e801ce4cdf76d2dcc4ceaba7c9ad92dc

SHA1
29d1f1ecaeca2d6810d5ca71585848465c5a244f

SHA256
eea44b2565fafb8bf23648e76dd353b5d85756f458d013754c909d06185c012a

SHA512
37884a86911fcf70199091c5d50fb30156e53d97b259ff1645040dac0eab1f74d54495607316b293048594e04ed34ad219f53fbf0a26d4bff4740af98a57ec5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
5b344eef173a8e84ebb1b0188e8f71a1

SHA1
cd5c381cc0d60785e4091aae9781aa143e8fdabb

SHA256
5a723115b505d123a05bd2ba20f3cfe73cc934834cdb5e29b0134afe7d04f85e

SHA512
fbf1efaaa7226ff01dc50eb9d13d104bd6bc4b186d1acb85ca26034d8fc0ed39207aebd3861eee3f675d439886b882720236c224027a6086d144fc35a2a0817a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590cf6.TMP

Filesize
2KB

MD5
826869d1787578536412e1f63ec01d5d

SHA1
0e23ea808d9536529f3ec4d155ad28cf54a11816

SHA256
995223ca249c532a93a4b72250daf55311d9e21fb4e388561ac3a4a2b7ef93ec

SHA512
f9d575fac23b05d41c5c9d4d07281653a2a7f7c6971a4bc4ba88b824764ba6dffb088521843f2170f907eed4300af2e820056b1efafbd1826cf7f60ad2855279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c7e41bd3f8948198017ec224d9a8dc2e

SHA1
1f0753bc69aa63cf0becdd37c9ad5b09170e3723

SHA256
2cd3a89ae653b50ce11cca48d5ea1c77bbbf39f152a0736e66e3640ca5290f99

SHA512
efb4403c752147409f91ad1195385b2cab96a29cad6183cf9e2bc16c8617917d37791395891d51a74f0d571d6647477e54c2f0f01c81f121d082061744a238e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
2fa5b927bee2fd2d9f82870082ad0f85

SHA1
be5af4ac530df6dd861c74f21e9bb80353a2fc97

SHA256
be82ccf3b2237252b881c04798f8183d7fced1f7ba944c388cd64087a08fc573

SHA512
3236af5e3cc61181b4aefe747657ce4efadf1f3e20141d147bb20b2e7068441a1dbcbba7e259f606501a7ef28977f1cb4224d1cea0a6c8ee30be6ac5d1670dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6eab63f6545ec71286c51607dd7c68a7

SHA1
36acb09972f70ad6a3109e8791f94aed187ff91c

SHA256
2a8bab36d07642397d424a1a0116d01b6de5eff646d768a9ce3da8187d9623bd

SHA512
ff70c03788de459b087b15637c69198b62d4a781416423eb11a7be8377273e663174e83c19bf141ab0b140cc4cad3e122066a81ac0cee040d5746eb0a68b3fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A2.exe

Filesize
709KB

MD5
fb63e92c110edf654aafd854d6dfce74

SHA1
f42755793df9a53e786863f9eecaa5fd50087e6a

SHA256
56cf2235afa22716da576cf8e894ee3f480cf92c5e406a342666aabcec19c55e

SHA512
66744b574fabd0765ca85a59bb5409e95bfdcb6f96c434dcc0e8efff980a34e159ae8030ec04b8266f3db281d66f07f8ca503993dc1b104bce611a38f7a47985

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A2.exe

Filesize
682KB

MD5
48de82fdbbdcda955e614f3e6f87d096

SHA1
2db6d56199ce7e4de572c728c505b982e7af2c12

SHA256
4b3e5d6be0222ff6d66ccc2d0375d6e189ac72d31352c9eeec322d280f3db85a

SHA512
aae9cd301970660d1fc035c492ddb633429893dcb9cab5c3b8d9d580bcce3657c42a596e74dfb81f09b307a7c82c1ce35373bd61baff4eafb6e49fff895cdca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A2.exe

Filesize
323KB

MD5
5b4f725baff6f737f25fb04b16de51ac

SHA1
74964e1caab897a931e20e52991a45b831f03a8b

SHA256
4681d3ea4d00081934eaaad0392ee8dd5d5539f01d4d40cfb7cff2bd974e888e

SHA512
a11f02ae2b5840cc3bb4ff6a1f3339e8dedef3a34f0e980111da0714e947dbfa59c4953778793613cc9c6845da278bc8edf101d0f24924dbad9aa2d91889b071

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A2.exe

Filesize
57KB

MD5
a22b66e4cc130e1a0395f4d9369bc48c

SHA1
f28fc1d1d64ed047c8d1e0b7269e53d1cab9607c

SHA256
d6877b3d12b6ae4919c1759d7d65f8bccf5b116335ae96a7f035a63c672e6725

SHA512
ccec049009a7869e84f5bd465455e175c169d0bdf7efdfeadadb8754b1e7b7866115c479b3ef733c68ac899a6be79444601ba809a087b1b1fa0b26bec1ad6bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A2.exe

Filesize
252KB

MD5
1c4255969d4b630923c5b7b87f31a33d

SHA1
36ac4dcee523dd16d77b74a84f8a2a70af233518

SHA256
4e8f173b0566d3be0a5301170dfabd9966eadf17ed8bc78352e3f677bdd89b1b

SHA512
1ec6c5e2b7c6c98c30071ccfb83904e748893857310db91e093b780af0c122cf42ec66573fe06b1acbc8daccdc1e2626d6bce00953c575f15427b5158761a5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A8A.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\A641.exe

Filesize
101KB

MD5
89742f33253a69824a4c1bc89db75db8

SHA1
acc09316d5124c65d75727001ed9cd6bbf39a561

SHA256
2ecec165bc34e7b4f1a8f27194b7dc7ae6a742e5c96230e45b420d3f781b16bd

SHA512
95860f5724fc5a85ba57d992e33087726989d007fe2fde48fc81a21934fe898a50cd0735acc11f88af1f324cec5a992ad4df0be3d23fccb41ba1c034447b54a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B630.exe

Filesize
71KB

MD5
8bcfa854872baef887efef4360391726

SHA1
11e3976e312afc0fc94a4c4543f640bd40892c78

SHA256
1b4b25ec5fe5e1a6478ea21a2d0765c4f5caa3376f623dd5709b10510095f48c

SHA512
e737f7f0567b9dcae844ded52650724d7f7995e37ca13b39320f2be06366adf082db9aca1e247accb0293c0744d91a896d08f75d4de8a4a98edc099648cad836

Download Submit
C:\Users\Admin\AppData\Local\Temp\B630.exe

Filesize
107KB

MD5
a6835db034b5469d91d8ebf5d7ff1a79

SHA1
4ba133c2e40fd4f7cfa4529e887b6b2359333e7b

SHA256
4e42ee9337cdd7d1784c7d14024386c02e8b13e0be88198576ff82c53124fdb0

SHA512
d1f3027688348b62a8aee6738c83a00cd5bc2dc72a88613781f78dd2f4f739877150059b1e56436a62f2902d21a5d58091f225cc4606ce9932e95ac749d01304

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA86.exe

Filesize
395KB

MD5
9c858f624d52a5245cb027aedb1d09dd

SHA1
cac03018b050469bb4064f1fb5302a7a75b0a022

SHA256
cda6a120742ad8c5b3334160742fdbd98eba8afc75056e19ab75ecead4ca8f62

SHA512
c71922a494fd71c02d02ce7fedf8b9036c7c46a7ae79516db71e9d7535c69ebad0b8fa13390204253ec9854ea1b21b472c43bd84a6a4999dfe81a67914a65d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA86.exe

Filesize
159KB

MD5
cd209729b5e113417137d12ab1249075

SHA1
8a2787eeb0c008d1e440a8ec64214844a710f2f0

SHA256
500168cd73830870187ee4025bccdf0978ff6c551b5c6a8490503b4d3e13377c

SHA512
28dc2e015cdd5eeb62f56e26feeb231f80122c10625eec156c5fb512f61aa00f03bdc2888d81ef2d5c2b8271fcbd099f6ade49b353ffe614fda43563b14ee075

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
89KB

MD5
8a18eead808c983c6889162ffe86b7c2

SHA1
84b1aaee8e92b578044609a9a1726222bf3c83c8

SHA256
744716223236f92f070e058ff1bc36601f259de745169b69459be2586bdd7917

SHA512
ce2f2c99939753d306e1b0936bd8126c79cdd61d8fe5297ea1681f70827bae156e5c1e864ec1f3458c0b15bf1b3e0894c3ac6b80d0389065d3f728866abcbf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AA6lH15.exe

Filesize
64KB

MD5
6c2da48c1340076237f91b3ec1271dd5

SHA1
10ff536f768607346144164011cbfd5018f0cabc

SHA256
a1a84bbb7a9584411774fc75e356df7142ea69e9ba5b5434ed6ee247f529b263

SHA512
5580d79823d3c3a2e3f02e60ac1757611671074f10367db2b417b2653dbe6063ab93184722f1ee775a3e7a24a0ec03fd5c4bc51928476bb0be01c2cc8c69a10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AA6lH15.exe

Filesize
57KB

MD5
4e67892a64aa2c3ee3442f5d3b7382d0

SHA1
e44abc410295b27c0cbbb02923e086d0bc513d7c

SHA256
767baa8b0323919158b1950153c5250bcb72b8eb21d25c525aef426c106dc531

SHA512
03dbd6a65e800dbda7f167dfbb22646b4c47848867822cba75d05824066aeb013196f6b15f6e9e0f623c50f54e89a61b9b141b9da3a4f09e41bfadf48578a26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ia8zk16.exe

Filesize
66KB

MD5
279ee94939865cdadf7589b31a78b77d

SHA1
6c0bdcba6bdff155fc87b77741022423e504f680

SHA256
0b05379b225359537740eeccb7f73859cb7b5e60b83eb7d770b39df16054b97c

SHA512
8ff96ccd30d203423e051bc694dfd4c74bbaba37545df14ec8da99259ab66469e59738481505a8d07e6131d6cc5f3bc80803a4814389adacfefca1a5d0e456b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ia8zk16.exe

Filesize
72KB

MD5
a080270df4f0e09fc350725481fe27b4

SHA1
cc0cbc19b4f81671fef147a013b8edd54e9ced1e

SHA256
cf6ab96faa7fd318785429e452a62f7207255c2b9bc6afd5a1fba022c9da7e2b

SHA512
d4f2ff0d60a9c7ce2713f5f42ea8baa1c2001506dc0b7e010e7fdc1d03f876116c38731bbaab4ae9fe8384f8024e7a0dca3628a20ba708a1ff6e21fc90ea785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1SU05be3.exe

Filesize
29KB

MD5
34155632a7e41761ceb07e874ae919c6

SHA1
1fd4265a858603e7b9d0bd0dc7a97acaf4c3b8bf

SHA256
6351a004bb3a3869577ca5e14c55a0d585ca8defab4e90a47c1defc835df53bd

SHA512
d8dc0de3fc69826e75d0417a041fe597ca9c988b8aa65ab4b2054777bc292d7fb13727ff135a8f2e0483cf18e93d0f612a36f6e557a68e0cfa6434424582731f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1SU05be3.exe

Filesize
94KB

MD5
674ff3ccd4c98659a584b0d6c9a9ad75

SHA1
bf0eaef3f4b33326e1f89a962a96178927ae7597

SHA256
d3725b15df763d3ed4f7f7dda167ba1dc21f87d2e7704ee923cadc4ccee033ea

SHA512
ee6fb4cf38024f2939018dd9b67790d4d1016fec0fee0c00f71032e8742fff12f0c12be7a3a051cc8500890fd6acb1a2fe3eae87227e3bd20471e6c1dc1cb16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Cg290GQ.exe

Filesize
197KB

MD5
9bd2db75894206c79f74cc2506f6bb31

SHA1
5971b928a54cff104c3d259cb2634933b115fc0b

SHA256
81e78435af056011ed95ca6d38294e6bb6848a0c9aa9b038f3b0e94130e674bd

SHA512
1964844be6d29751bd81e33c826e047a8eb5710015d0afbcd78d80180b5e43e9a545c85a81fe80ac732bdff503fb133bb10985e0f9d88a850c9c494467201c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Cg290GQ.exe

Filesize
157KB

MD5
85ce814e28ef770248dfda757e933646

SHA1
7795f469576cfd1fce2698338b1efed71bc86384

SHA256
e6dacd665a8634cbb4a999399ea20be6dd235f78a852567f2ad78acdc48f6e26

SHA512
9fe118bfac4f3ef6682c24b203d9fb351f5856957eb84b3a32704dc578c24d99357a65f4c711f6fc7407d4e3706f90ff31beea65e3b39885191424deeb3e0a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS6c74C49exmfO\NLtTO9pWkv3HWeb Data

Filesize
68KB

MD5
03e2fa55b2aac87c429ac5e88db76547

SHA1
94a0c891bffbc9ada7e6c5b16905111bf2de1136

SHA256
e784ab5756a2f395fde73ae3638760c24485a62831c322ea769e7ba5e7bce51f

SHA512
c91c664a05444f46a40e050260abd7c2bddfb5f90143db32e523eeb6c41d81535dbe25ac2280c23fcbfe7e74fc60efa157e5e6750ed4173849a16e4257df108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS6c74C49exmfO\fYCRA4lmwbq0Web Data

Filesize
65KB

MD5
e8bc6a281574cf334233c0866c9542d6

SHA1
0a9386191d1873bef7c6cd7b2eb2f17aaf04b106

SHA256
30648dee71e20bf03b3086d9fcc1258ec81b0896da5658ee324b506d217c3092

SHA512
c38ce7959fce352ed1b701f8e3277051de34f65b99ba846808026f3617e80018e7724f4ab1830f53f63f21f6cd8a01c8c9b8fae5af04ef4ba3eb6a6c47ae4bf9

Download Submit
C:\Users\Admin\AppData\Local\ff0a3320-c736-49f3-b8f8-33a892bc0cb1\79A2.exe

Filesize
55KB

MD5
ed6ca91c5685d0b34d9dbb702371a02c

SHA1
fe0f2a17d283d485beaeabe8fdc49e423746ae80

SHA256
acbe99074d510d11fb21f7d93a062836fd099c989e074931f814191f6f8c5b80

SHA512
53557c1eb699a26c6db2d8707d3517424ccbb03d96d999a6f516cef79503c86170754a1588cac7149e8155bdfece9a6892b7dd1c6242b4e65d69bd492508ba01

Download Submit
memory/368-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/368-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/368-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1176-30-0x0000000002450000-0x00000000024E8000-memory.dmp

Filesize
608KB

Download
memory/1176-31-0x0000000002600000-0x000000000271B000-memory.dmp

Filesize
1.1MB

Download
memory/1520-47-0x00000000024E0000-0x000000000257E000-memory.dmp

Filesize
632KB

Download
memory/2692-1265-0x00000000069A0000-0x00000000069F0000-memory.dmp

Filesize
320KB

Download
memory/2692-367-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2692-1192-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2692-372-0x0000000005280000-0x00000000052BC000-memory.dmp

Filesize
240KB

Download
memory/2692-1188-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/2692-371-0x0000000005220000-0x0000000005232000-memory.dmp

Filesize
72KB

Download
memory/2692-370-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2692-360-0x0000000000740000-0x0000000000792000-memory.dmp

Filesize
328KB

Download
memory/2692-369-0x0000000006020000-0x0000000006638000-memory.dmp

Filesize
6.1MB

Download
memory/2692-368-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/2692-376-0x00000000052D0000-0x000000000531C000-memory.dmp

Filesize
304KB

Download
memory/2692-365-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/2692-366-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/2692-364-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-1167-0x0000000002DD0000-0x0000000002DE6000-memory.dmp

Filesize
88KB

Download
memory/3496-6-0x0000000001220000-0x0000000001236000-memory.dmp

Filesize
88KB

Download
memory/3860-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3860-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3860-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3860-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3860-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4016-361-0x00007FF7D8E10000-0x00007FF7D9437000-memory.dmp

Filesize
6.2MB

Download
memory/4680-2-0x0000000000A70000-0x0000000000B70000-memory.dmp

Filesize
1024KB

Download
memory/4680-3-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/4700-152-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4700-144-0x0000000000C10000-0x0000000001006000-memory.dmp

Filesize
4.0MB

Download
memory/4700-151-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4700-153-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4948-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4948-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4948-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4948-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5296-1168-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5296-1026-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5716-994-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/5716-218-0x0000000007B30000-0x0000000007BA6000-memory.dmp

Filesize
472KB

Download
memory/5716-217-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/5716-216-0x0000000000D90000-0x0000000000E5E000-memory.dmp

Filesize
824KB

Download
memory/5716-532-0x0000000008C20000-0x0000000008C3E000-memory.dmp

Filesize
120KB

Download
memory/5716-226-0x0000000007C20000-0x0000000007C30000-memory.dmp

Filesize
64KB

Download
memory/5716-726-0x00000000090A0000-0x00000000093F4000-memory.dmp

Filesize
3.3MB

Download
memory/5716-799-0x0000000008D20000-0x0000000008D86000-memory.dmp

Filesize
408KB

Download
memory/6804-1007-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/6804-1006-0x0000000000940000-0x00000000009BC000-memory.dmp

Filesize
496KB

Download
memory/6804-1022-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/6804-1005-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download