djvu | f4445869a39abf52db1e7e9cd205433ddbfadcadb0a9f21586c9a43e0b3a05b8

Analysis

max time kernel
2s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe
Size

2.5MB
MD5

22552aa59f68564328ae3a0ecb3982c6
SHA1

564d761ddeeba891df994119e41013a26b9d3ae4
SHA256

4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4
SHA512

4af5569df53eb7b82a54af2f2ce8f528d564dfae3f7059c597d1fc836b3eae1a87b85b4fcb7b1b11a5e7f6288e8c98fd2f7c46cb912afcd625caf3ce641d5e48
SSDEEP

49152:92CkbUTrCHdh1F2a2xyeN2DjgVlnHkyVYFuun3uMraR7qAe6C0J80O0/wLN6RZqe:1kFFOoeN2Dj7yao8uuJynF/wRbUUXZ/K

Score

10^/10

djvu glupteba lumma redline smokeloader zgrat livetraffic up3 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Extracted

Family

lumma

http://soupinterestoe.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

resource	yara_rule
behavioral2/memory/6932-561-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/6932-560-0x00000000026C0000-0x000000000273C000-memory.dmp	family_lumma_v4
behavioral2/memory/6932-562-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x0013000000023216-700.dat	family_zgrat_v1
behavioral2/memory/6904-714-0x00000000002A0000-0x0000000000354000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0013000000023216-713.dat	family_zgrat_v1

Detected Djvu ransomware 7 IoCs

resource	yara_rule
behavioral2/memory/6708-1438-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6708-1440-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6708-1437-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6708-1452-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2720-1458-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2720-1460-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2720-1457-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

resource	yara_rule
behavioral2/memory/2884-712-0x0000000002F60000-0x000000000384B000-memory.dmp	family_glupteba
behavioral2/memory/2884-715-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2884-1168-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2884-1325-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/6264-1364-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/312-1425-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/7048-738-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2136	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
1892	TA6Tl23.exe
3216	mm3Mu81.exe
3596	2NS5898.exe
1688	5zJ2FM8.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1140	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TA6Tl23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mm3Mu81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
126	api.ipify.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002321a-20.dat	autoit_exe
behavioral2/files/0x000700000002321a-19.dat	autoit_exe
behavioral2/files/0x00080000000234b7-1590.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1688	5zJ2FM8.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2040	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
6892	1688	WerFault.exe	98
7036	6932	WerFault.exe	147
2196	3604	WerFault.exe	159
5952	2720	WerFault.exe
4772	6688	WerFault.exe	217
1780	4128	WerFault.exe	221
6008	2976	WerFault.exe	229
3440	5184	WerFault.exe	254
3468	5396	WerFault.exe	283

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023332-724.dat	nsis_installer_1
behavioral2/files/0x0006000000023332-724.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5932	schtasks.exe
3632	schtasks.exe
4492	schtasks.exe
4480	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4420	msedge.exe
4420	msedge.exe
1496	msedge.exe
1496	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3596	2NS5898.exe
3596	2NS5898.exe
3596	2NS5898.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3596	2NS5898.exe
3596	2NS5898.exe
3596	2NS5898.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	5zJ2FM8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1892	996	4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe	91
PID 996 wrote to memory of 1892	996	4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe	91
PID 996 wrote to memory of 1892	996	4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe	91
PID 1892 wrote to memory of 3216	1892	TA6Tl23.exe	94
PID 1892 wrote to memory of 3216	1892	TA6Tl23.exe	94
PID 1892 wrote to memory of 3216	1892	TA6Tl23.exe	94
PID 3216 wrote to memory of 3596	3216	mm3Mu81.exe	92
PID 3216 wrote to memory of 3596	3216	mm3Mu81.exe	92
PID 3216 wrote to memory of 3596	3216	mm3Mu81.exe	92
PID 3596 wrote to memory of 4852	3596	2NS5898.exe	119
PID 3596 wrote to memory of 4852	3596	2NS5898.exe	119
PID 3596 wrote to memory of 4448	3596	2NS5898.exe	118
PID 3596 wrote to memory of 4448	3596	2NS5898.exe	118
PID 4852 wrote to memory of 1716	4852	msedge.exe	117
PID 4852 wrote to memory of 1716	4852	msedge.exe	117
PID 4448 wrote to memory of 4944	4448	msedge.exe	96
PID 4448 wrote to memory of 4944	4448	msedge.exe	96
PID 3596 wrote to memory of 4888	3596	2NS5898.exe	116
PID 3596 wrote to memory of 4888	3596	2NS5898.exe	116
PID 4888 wrote to memory of 3268	4888	msedge.exe	97
PID 4888 wrote to memory of 3268	4888	msedge.exe	97
PID 3216 wrote to memory of 1688	3216	mm3Mu81.exe	98
PID 3216 wrote to memory of 1688	3216	mm3Mu81.exe	98
PID 3216 wrote to memory of 1688	3216	mm3Mu81.exe	98
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115
PID 4852 wrote to memory of 4340	4852	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe
"C:\Users\Admin\AppData\Local\Temp\4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA6Tl23.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA6Tl23.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mm3Mu81.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mm3Mu81.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5zJ2FM8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5zJ2FM8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:1688
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        
        PID:5800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:5212
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:5308
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 3080
        5⤵
        Program crash
        
        PID:6892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bU6iE8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bU6iE8.exe
    3⤵
    PID:6932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 864
      4⤵
      Program crash
      PID:7036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7lv9An01.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7lv9An01.exe
  2⤵
  PID:7076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2136

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2NS5898.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2NS5898.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5628 /prefetch:8
    3⤵
    PID:1772
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
    3⤵
    PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
    3⤵
    PID:5844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
    3⤵
    PID:6548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
    3⤵
    PID:6540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
1⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
1⤵
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
1⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
1⤵
PID:5628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
1⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
1⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6276375042627381972,1460142049256506088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6276375042627381972,1460142049256506088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
1⤵
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9583586310289895077,5126465581305224243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
1⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7282072735499642335,4251712795055745205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7282072735499642335,4251712795055745205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
1⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
1⤵
PID:1716

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x304
1⤵
PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1688 -ip 1688
1⤵
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6932 -ip 6932
1⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\120C.exe
C:\Users\Admin\AppData\Local\Temp\120C.exe
1⤵
PID:6364
- C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
  2⤵
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\nss245F.tmp.exe
    C:\Users\Admin\AppData\Local\Temp\nss245F.tmp.exe
    3⤵
    PID:6280
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:6148
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:6264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:7076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5864
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:312
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4268
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5844
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:1208
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4480
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:6720
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:5400
- C:\Users\Admin\AppData\Local\Temp\tuc4.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  PID:6880
- C:\Users\Admin\AppData\Local\Temp\etopt.exe
  "C:\Users\Admin\AppData\Local\Temp\etopt.exe"
  2⤵
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:6180

C:\Users\Admin\AppData\Local\Temp\is-4K3S3.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4K3S3.tmp\tuc4.tmp" /SL5="$120044,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
PID:208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 23
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 helpmsg 23
    3⤵
    PID:7064
- C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
  "C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
  2⤵
  PID:3672
- C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
  "C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
  2⤵
  PID:5544

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 328
  2⤵
  - Program crash
  PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
    3⤵
    PID:6800

C:\Users\Admin\AppData\Local\Temp\16C0.exe
C:\Users\Admin\AppData\Local\Temp\16C0.exe
1⤵
PID:6904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3604 -ip 3604
1⤵
PID:4836

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7F20.bat" "
1⤵
PID:6416

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80A8.bat" "
1⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\9029.exe
C:\Users\Admin\AppData\Local\Temp\9029.exe
1⤵
PID:5600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 760
    3⤵
    - Program crash
    PID:6008

C:\Users\Admin\AppData\Local\Temp\9616.exe
C:\Users\Admin\AppData\Local\Temp\9616.exe
1⤵
PID:6268
- C:\Users\Admin\AppData\Local\Temp\9616.exe
  C:\Users\Admin\AppData\Local\Temp\9616.exe
  2⤵
  PID:6708
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\eeeda7b8-ad4f-4b50-b9e7-05ddcf283995" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\9616.exe
    "C:\Users\Admin\AppData\Local\Temp\9616.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\9616.exe
      "C:\Users\Admin\AppData\Local\Temp\9616.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 568
1⤵
- Program crash
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2720 -ip 2720
1⤵
PID:6240

C:\Users\Admin\AppData\Local\Temp\9C9F.exe
C:\Users\Admin\AppData\Local\Temp\9C9F.exe
1⤵
PID:6688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 852
  2⤵
  - Program crash
  PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6688 -ip 6688
1⤵
PID:1444

C:\Users\Admin\AppData\Roaming\ghjftva
C:\Users\Admin\AppData\Roaming\ghjftva
1⤵
PID:6788
- C:\Users\Admin\AppData\Roaming\ghjftva
  C:\Users\Admin\AppData\Roaming\ghjftva
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 328
    3⤵
    - Program crash
    PID:1780

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2544

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4128 -ip 4128
1⤵
PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2976 -ip 2976
1⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\EC18.exe
C:\Users\Admin\AppData\Local\Temp\EC18.exe
1⤵
PID:7008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
      4⤵
      PID:5920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:6936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:6960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:2736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:5604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
      4⤵
      PID:848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
      4⤵
      PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
      4⤵
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
      4⤵
      PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1067070832263882205,11897824069278372422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
      4⤵
      PID:5556

C:\Users\Admin\AppData\Local\Temp\F82E.exe
C:\Users\Admin\AppData\Local\Temp\F82E.exe
1⤵
PID:4300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\F82E.exe'; Add-MpPreference -ExclusionProcess 'F82E'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
  2⤵
  PID:6496
- C:\Users\Admin\AppData\Local\Temp\b4acf2f1-8163-4348-a733-937ed95a2b12.exe
  "C:\Users\Admin\AppData\Local\Temp\b4acf2f1-8163-4348-a733-937ed95a2b12.exe"
  2⤵
  PID:6652

C:\Users\Admin\AppData\Local\Temp\FF53.exe
C:\Users\Admin\AppData\Local\Temp\FF53.exe
1⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\928.exe
C:\Users\Admin\AppData\Local\Temp\928.exe
1⤵
PID:7056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kH5yM65.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kH5yM65.exe
  2⤵
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GE2uv06.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GE2uv06.exe
    3⤵
    PID:7060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hI0598.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hI0598.exe
      4⤵
      PID:1216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:2196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17027713329578453269,9184632645577210622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
        6⤵
        
        PID:3640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        
        PID:6968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,9838973105029705257,15584776281048112184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1740 /prefetch:3
        6⤵
        
        PID:6972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        
        PID:4240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14340495540045893081,11454635044759058416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
        6⤵
        
        PID:7080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14340495540045893081,11454635044759058416,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        6⤵
        
        PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5xn7yo9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5xn7yo9.exe
      4⤵
      PID:5184
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 2960
        5⤵
        Program crash
        
        PID:3440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fR0KM7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fR0KM7.exe
    3⤵
    PID:5396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 996
      4⤵
      Program crash
      PID:3468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bx6nF46.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bx6nF46.exe
  2⤵
  PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
1⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2ed446f8,0x7ffb2ed44708,0x7ffb2ed44718
1⤵
PID:6508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5184 -ip 5184
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5396 -ip 5396
1⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\6284.exe
C:\Users\Admin\AppData\Local\Temp\6284.exe
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4a7e054ff36f584b0272e61b1d9ffefa

SHA1
fabdad5da7b3a4e635dc49cd2e7f07bebb9012a7

SHA256
e3365d241927509711527adc0edbb3f2a0da996c59b14bcdeb78288934096686

SHA512
53b101f4bd311ba8fade73521a363bd7e65d43158d9ce0a370ff1e9ecacbfe2a42d34b56aed024653b5b49052bd7bcf8b8259fa2d70a5e9aaf9519dee0204ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25315820c89b2a139048e92dc7aeb145

SHA1
49a2aaa85f6361efb02cd57da973deb105fa3d28

SHA256
85108425d74bf1ed9cf5e28698168c158bae603994a58c11b162afe6ca526d58

SHA512
504e01e69643f6ee5ee5227f007bf8dc9dd9389c63b368c41f59048e9a344d464ed10e08591809d134731e4ec53dfe15bf70306ed204ffbd46cb831f8b11f7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0bd5c93de6441cd85df33f5858ead08c

SHA1
c9e9a6c225ae958d5725537fac596b4d89ccb621

SHA256
6e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2

SHA512
19073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e997c7355765fb004f01f7d88bdb3fd3

SHA1
0b8a596db68ed043fe25cc7e9b6a8f0c2f2ddaff

SHA256
48c771c737392fb3bc58a45452cfaecadfea38bdec16c0ecb136a3794badf64d

SHA512
b68d17645a205c6e5db9fb886554b645b5d3c0ac3f31b44a742fc6863c8ede946194087e721593d45900a0f2ef36f22cdf08b82030ae4d9974c27f48040eb18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
627B

MD5
65ef13dacae8f624e06f87b823143fbd

SHA1
122b68691b126a048bfa54e81471da5215ee228f

SHA256
f65a95a416348b1014d18ccf332d150bfdbb91801abf08fe665802e7f9968ecd

SHA512
bb12361eaa34dd60c50a30d6d9242d245bac6cf21856c16e38ba45e6068ce2c3bb8d5e3c74b97174dbedd32e3ec47d2d438a5e25a1dee7ed439a1e82f91eac50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
298c15a2220b67c52162d32a5176e296

SHA1
c6370689dbdae4c9606a72b1550f8f60ec09f576

SHA256
697557a3b355a9c49ac45853ec5588aa62ae87b3705a958ed5ea526c38a44292

SHA512
b0bd7f8fb7c5b1f3bbfbd4b94073306b5d177da21b48b56b209bf2b7c2041dae870fe09681ff8bfec12948f03eb6dc6e63dccb511ee02a1caa96e13dee90055c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
535ed17dc48362975a8683d88ff43f53

SHA1
ff8129f6eb7fd7f684e7bb6f6e99a20c40b0bd33

SHA256
a3a4d16025ca8cd8ed260f2c62b4493400ce5002c63dcb3247ef37b9288e27be

SHA512
4c8ccc6301ec7f0b55d3cc4f419067556adfc6d32f00db49c78a2cb8de7baa67eefbbf42df5dda3a9723939ea7be65f9d9ae557291d79f8ed6c7681f3438ed17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7167161b2b4902d19a77843dd9a4dd7

SHA1
4f0e2fd6177af974d8d8bbe10ba39e5cfc770d52

SHA256
d42f70aaf334772cecc69d927dbad38bbddef09c5954538747c873111179f4d8

SHA512
0169c7b65adf0441533d97dbbd6441d29ec41c85c3e5f48a73ddbdbe73644f0b657293d70c8c58ef421f683fcd38366c3a73291a87dddbd3c09690f0e7244ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
011e739e966540c68b3441047d2d7986

SHA1
45f04c9a56288725124a18f6a8972b63f0e1ef7e

SHA256
1949d48e778518b6443ea872ef8876cf9f95253b7b3e4051005148847c1a8ce5

SHA512
1437a1fbf525390131fe11ae1355c5d794089b328b113792462e42ac6ed65e98b250b5f53eaa9a76c6c0077e6c22639d0fcc5f692f71e325bafba718d96cde4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1587231542b05cc71c7d4f4fe4369cc5

SHA1
5078c4232f02ed3bb1d9da86da2d62aa26e9dd56

SHA256
4067b0940fef3534ab8009d5d796b4d747d5661cddd23ae4e3060e3695746e78

SHA512
b2c373936de292a1e1cfaa6d4da171de84374398fa0da9a95896b16d00034685d0c430cbc42f36c0aea8e4443d78073b176244d19f102c7bd397412131d747b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79a4461fe61c1bb60be984e4dfe74140

SHA1
0b5864e21b70da3c935d11b0ead03818f73a8cbb

SHA256
70fc1b28ced62a8371341147e61d2ec2d10ede8405be330757cf1f3b27c94be9

SHA512
19c44e8f9e2247836665ae8e41be08ef397121a4b292e75c1761cd8d2565c876ab3d1326b5c5bbe17059f14baa2a34aa67b8ff8cec8e26e5310a12d801f42bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\16833f0c-24c0-4355-ae91-db9a6feec4af\index-dir\the-real-index

Filesize
2KB

MD5
9e6d97f20257ba5920373c583d1b41c8

SHA1
9c2e7d23d525d4db39c23a9bb0baee3d580d77e7

SHA256
6bddd42a1ce585a5e4fd833c1ce5f2dc615a6b6aa6ece12a8e98623ffe3559ea

SHA512
334161898e7670df1c6498a0014fa74a1c81247752a2915690f3bcf7cec3c3fb3037b12324e42fda6e4e1ac96d5834b564bb994dab26a21b623648cc8b8880a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\16833f0c-24c0-4355-ae91-db9a6feec4af\index-dir\the-real-index~RFe57ba38.TMP

Filesize
48B

MD5
219c87ebcd4fedc9ae3882b8a383dea3

SHA1
4b8f418d63329ac02dda12ed84f6d7d491af9135

SHA256
553f3af33d89b385449490ac2835d6f31e8a09459d16d1ad47b3f586cf8a5816

SHA512
61eb4c46587ce6ba193ff4eed3f7541b9f97cb9986b8f052caf632ecba2c164e2d52455526b2a82c3cfcdb8bd7d7988b99af7d9585f4e452128988472ea9c637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
4d90c585b0e5ff0ccb383bacfcdd6878

SHA1
6f478706ee9c4a5c0376982657932dc574006408

SHA256
7a6ca1e5c64cd1fb4ae657fc249e83ea02fb0fbbb4aac12b09638d8cdde40403

SHA512
b2711fdd934c78943f38ecf4ba013c910526b9c07a6adad63d9a5fe30464c68ba20ea1859bf7290e164809aa349aaa723380f9f8d916e7449bd24d3b75cae170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
7fa59850bd27b53dc658bc94b6472aa4

SHA1
fde53855180648ef4a1cb0c953625b614143e15e

SHA256
49c2a86ab117c1ffa8e5e7ed596c11fdcf033e6fc32e663a93212a5d50901077

SHA512
e3b9bda02268fc0fb03ddff0eeec01b57bb53b3fb185cc652589afb8586e9a05b66d9a7b8ef2061c5379b17b9b27bef10ff6ca5877bfc2b86f846ff7c4914947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
598e5e27b098921d3f42b7d4e9e2cb4d

SHA1
d264748c837f8cbc4859bf44602e51097b6a19f1

SHA256
5568009c2d5026ad7d75da008747dff36d03d4f479806c24c9a594159a217059

SHA512
df5417dfa1831ccd4b4fafa36071bbebe5b7eeee358ef6191184e8ccdb39e770f8304391521238bb4aad6dee171372b5ccb1f9ba26dcee9c3f111737b77c900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
f503193262765870bce3012bac45ab3b

SHA1
3ef6b0eb6916e6558d83817b1864b20e1aac4b11

SHA256
01331dcb47c3d2a1fd2dae43fe9b37b8f6d23c7ed0489d2bb957815de8ae6127

SHA512
31d4b016f7d46951f92a724486f3dcbee95b67590ff58c4a391b9687537ebe1261d7ba7e3e98784aa0241077adf3d168aa3e3407eecece037ca62c79dc364b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cd4de7387d32c6dabfdbbcd16dc46a8e

SHA1
1270c60d723fd25e77fbcc6cf20364a7aff7c99d

SHA256
8471a7bf32f3a10add5702e0514842d41fecd508c6b8a6353d121f0a25668e9d

SHA512
0d031f260c4d64b04718c58e2227c2e6b9221985d51f3c81e03800646a0a8d49d7b499c300b65e534fd6e0efe2c51ba9dd40f5a4ec4666b08a51a56fed11f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b371.TMP

Filesize
48B

MD5
ade9486236d234e508d186733c65ba3e

SHA1
5623aba8f04108840d618d79d33450ec43462e37

SHA256
7b41f4d417fc6071aca251d4013914b5fdc35fc4db66cc542bf08a80b1e0a06f

SHA512
19243443641317651c49d9161b3cd75aef93242756989390baad0c55fcfdec0956cfe19ccf308ea61195cd70dac934c137e1ebc323386ebb6e452328b2c15323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
988fd295695d6fbdd986c53bf3fd7ba9

SHA1
04440d96cb90ebd2ef2d80832c9066a92988ab03

SHA256
75bd985f65e9b2fdd7480dc407ca6d3af718214d01276823f34a6ce5cf976a79

SHA512
594c297ccacd137a93e2cb930b811c35fe4f54a4b0827a55c201d039ef4f4c510e139919ef2e68d3afb33413db412b015e7ad38e64a47ef4909b685dc92a2dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cefd20fa72168d262075c2c6c413c55f

SHA1
3e38b27d7e4b9d3de10c2ac6b041875e1345f59f

SHA256
31cccea81014f1d6e4cb1da761410cb79414e316a84cdd040779c96f29db1173

SHA512
240c3747531be84dd4705a20d15750eaa79d36123d72b9baf99968bfb783b8d43a8d0a9f9eef9383b644042424f6b37116f2daeefdf6a995e6deb9e12ab8272b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a3e1.TMP

Filesize
1KB

MD5
4d6ea89be8c4b19c8ede3ee88c53e79f

SHA1
f6abd4007e27cc6cc6362ba278240dc29be413bd

SHA256
bb2f7ce5d63e3c5848633efe5ea0244856f919b9dadbb71af5ee71d2def1548d

SHA512
a8e4718910e66025a61b02283bfb3b200b0e26af5034261b8bf59499284acef0cf80f17f417e639c5e24ad5d509f39df03a10ba2335dc46b7ccff5ef836d929a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b7118b4daa69648e629e77c1114a5f2f

SHA1
cd5d85b5844cee82896edfe127bbfdc7e4f34f78

SHA256
d67f38397cf5bae8e5dee4f560ccdd7a3c9c4efff463ee950f1f8fafb9c8fbfb

SHA512
3562ba94c94a039ee19582efd9183f11be31a0ddcaae7c14a880b6967fd660e56db910ed9863421b6f6c50cd9daa7f27ba2185a4689894d254157b604816c5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
aeaaf652117c4e22080b80b02c6dd71f

SHA1
2835d8932b88a9de17046125145cc24dcbdf04d0

SHA256
1fa5c57adaefb60d1e3d68c2eb123def5ddfc632c29f7a4c42ac543976996932

SHA512
ac29284a9ae3dca30a1573d5545efc59097c0852a93694664e2bdd33b66477e0294620edf7ebd666f8a15a14e26b2ce51f34135ac10333b13d1a6ff60e2fa1d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2798437237f094ccd736eece3c574187

SHA1
40012411ed8c4e338c7a7ae5a96290cfc45c65c6

SHA256
190348dbd452dda2196a8877bbbac3ad12e08f393ccfcb8dc4b816e509b5bd77

SHA512
989984ee484c015861ff5da089d234a26513a905ede2d7895c44fc5c87203a697f64e1fa31ea8ad4b1683924076fa60b36254aea038fdb46e17b054426991371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
248b90316b22407bc7772631d030e6b9

SHA1
ee728a32346bd547af81128f1252273171967725

SHA256
da49d8093fa123b390c932f05077b9184d83d5cbc539f59494929edb05b375f3

SHA512
ebf6063a1bd5d0618b1835a9143f60cfac5d81d4eb6b5c1013f53cfbf8e8772296c05f4f379d9fd5494ebda118a79cd04a08957d7f56134839c9a022e73bf5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\120C.exe

Filesize
961KB

MD5
c6dd9b4b4e1dace053e27e6b03a4822e

SHA1
c3a33736bdb491a28d5eb92e7b74841b7197dbad

SHA256
7e2925d135223050aadc6d19eecdf147942cf005284cf689497ded325b1993e3

SHA512
f3c6f160fecae6eed75dddea74d5eb9b029cc51810182790d75af660ec545d0bb62d3a3719b5bbe4d913a229e7858621154d1a19a5ce3e07ebf6d993878faf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\120C.exe

Filesize
960KB

MD5
39e7d6f1f1efd7a577e553e6d65d82f6

SHA1
9b0e9f505b8e0d9c438f146aa59e8fb0b62349d0

SHA256
e58e470b5131e719042adf09cd9e9b9f577ab6f29fe9435c95becba5595e340f

SHA512
c977094966e554b48122309f8cf7de89ef9d99b85e0427325c059bbd299dff1bfe0820c1c3a275891cae66e2b5dc8fdcd06c08d237ce166c1712d1568399e88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16C0.exe

Filesize
213KB

MD5
d6c2883eca0fc9c62412b583c7c90653

SHA1
34226e3ee4b0051958fdd972998885d9b758b43e

SHA256
dc68e0b72f0bd9e792123bff4a84cf7c125886667165891b3c24b1cf871a03be

SHA512
1ff1f4d42d223cfe191a260142ad0383eba1f1dadadae251eff2e2cd59b8290278b0f1cf57ee9db986ac79225b0f4d04ce3cb743bb681fc96381e698d0da0fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\16C0.exe

Filesize
85KB

MD5
dc1ea59e08ba7260009b72c04ba484d6

SHA1
02be5c30eda898d1642fd8c46276a26f20d30e1d

SHA256
e03ef052e798b6fe6c60ae615318e7a90b47be3e7022bf26aa261524c3cc0281

SHA512
5780f2719c71d52ef2a8379c72d824af75ab607d09e6a65ba725ddddad79972d6ad704d76caf9edb3a60404235ef3e358944734de7207ab6e0b740a485af8852

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
714KB

MD5
125734bd66c902f27c700cf26c59adc0

SHA1
f6b3ea91236f45d6ce92e68d26d2a4fc9aac473a

SHA256
81356d6f5df55243a7ba8a4477753d798209a1aa807c9e3f1a144e06b6061227

SHA512
362098d62d5a719f2f546b2d9d11cc59873b8b0f62164ef4004f48cbda51fbc4560f56e5984c9638f24b3d90c04ea52ba009c72d4edea7b29c874ba288190c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
1.1MB

MD5
47d27b859ee72f9e261e21533f91c1f9

SHA1
8912f9993768001c7168f87b4fec9d6c514bf300

SHA256
bc2a23b5b59469c7d21639ccd85b40c0f09a372021e501243932d0a43f0dad44

SHA512
79f710e4c6cef004e2ecd0c7b6ef1204542edda962398cc94754bb69448018163a6c7b8357440cc4ec653cf715245c72725624e4c7b9c83b93a35665acf73948

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
144KB

MD5
238f4101dbf8926b9fcd79f9d22f0179

SHA1
6e9950b790e503dfbf7555a3ba45d26029d36b7a

SHA256
5a9a12346585fdf5086f65bcf1f701ff905e6024af007b9acbbccd5697f23ff0

SHA512
4254e38f5d0335c9ab81895890723168ccc3e9ae4001eb24fc50074fbfa3b1d16b815c4bffd5275b10ce323ff76d72163d044f11f042d4195563d698d01ebc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80A8.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C9F.exe

Filesize
160KB

MD5
19ad7bc2eeff122401833e1eb6b8eefc

SHA1
19e5e97012b8393e51de1dd833e4ec3a9595c41d

SHA256
c0a0f1db67d388997b2e0494d4135495af6f24d29c9a2664884fe2fc7be6fb4d

SHA512
6b060a2c92ebce7dc3c9c2ed20595a43e6f21b49b7acaf53e4cf85277d33eb4a572bdabe2f8f271a87b040e985438a942fcd11313ee3f5adaa0f3ec9892f0057

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
115KB

MD5
717836209fff976228bb5dc0d3f51885

SHA1
f567bcc8ef17b594b72394630b11bde865d88eb3

SHA256
a4e6938de9c72ee9f829dbdd1e7cd208ce56efda4984a3ede1cdfa2b6248f4c9

SHA512
aec9d8cbb1e9a22baec6d9a352522451108bdbea40f59f5ff2819235f25f5e60edb8d2d543e7103d2687ee463247841f187e2e6869b3a9b3acd44ec02cf2295e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
92KB

MD5
337851b37e447c982644231b328599e5

SHA1
7138194591e35dbece43aee623b63d9efe2e7fe0

SHA256
7fefcde5709cccdfceaf433e853bf91462935f3797bd48f3628a6ea2548ad512

SHA512
8ffc758ab594d9591bb905cfbaed522e90115dca43c7d9469f908b7df870ee7ffa4400aa18b79baedc070cbf67e2853bd8e56fd3e48c22fde4c9402b22f90d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bx6nF46.exe

Filesize
38KB

MD5
e2387d97cd43621d6f22262e919cefe9

SHA1
49f32a420d65a2bd1ea15b56dc24482f59c52340

SHA256
50599c1e0adc3f07b796c386174f7bcdab0417ee3d6549460d7a83b06966f8fd

SHA512
cd1d305c7ad69a2c31383db9ab24b64c93606be4687b78d09d493c21c0cc31270616a90024a5c3f8b7e9d4641d2e272096fbf4c9f5559a5262ce5c67bdc87566

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7lv9An01.exe

Filesize
38KB

MD5
aa124bcf8127975be2017d69e8e0fb31

SHA1
c98638c63e948aa7047399ae15516a6a17a2d098

SHA256
4b668d43b0489e7659b9102a4ad88036dc930b7b2c3a8ccf46a4cb8669dc178e

SHA512
6b383201bc3c262281cd13bc520e07523548dbe0fe60240c32aa4851a405e3f96998aaeb10af3bae166b5a73cd78f00944a60f2a6170c87ebda6fbf7f6434034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA6Tl23.exe

Filesize
1.2MB

MD5
34fddba074c62ee98a3c08d076633145

SHA1
f1950b10e8f19ad6418d61a0b259b99520099888

SHA256
03fccf5294469200e57a058e41e202b64d8ac61ab47eedc24712bf300fda38b6

SHA512
7ccee36b2fe64adf99f0c7a13c108f449271f3a7a252ccd7c346a8b58018b0820d7dc12c339b7a17d8891e072b387e3237ca59cfc65b3a62f73b068bd4f6d122

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA6Tl23.exe

Filesize
1.0MB

MD5
6d5bd6821b48130d49cb505b9dce5242

SHA1
70547a63080fb824048591ba1646ab5d5a56f36a

SHA256
61343db0b2b4eb0f4b4030a4960321d636d89f08aaa39e41b18d325f4099ebc1

SHA512
73a9dcc3529e678a862d9ad9cf87d116698c4e8a2dd13235009d053bfa5878b479b5163b5916c54f4dd96597817c350f267249022834dafba3dc7cc658ab0727

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bU6iE8.exe

Filesize
92KB

MD5
22ef142bcd1d119484b427d2ffb2765f

SHA1
3b8351bc56166fce17368d83d2e22f9f239f8939

SHA256
8e23e74c6fe9a6be32de2cfdd1b927c87391fda775180d6afe814970ebd7fe46

SHA512
cfd9b70a0a6da503889b5a9b5783ab0c83e148dc82033579efa03b57c621c46e8a58c8ea4cd37baa81a4efef4850816614f1f0b65e1decca31e234e2f235b226

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mm3Mu81.exe

Filesize
498KB

MD5
d8236cdeda15f9c7d4e856c6eb273d77

SHA1
382d3b7454c24b8132de8e62a1f55404f2a4251d

SHA256
a5992bc2424f589186908bd2e6dc9ff31debc53e5cc3b3f4295bec88b811bdc3

SHA512
1f4a9cc894a2368e24b216c313131227e0bbb1cc88c02452a063800e7681053aa43317c75272cf921ec5ada732ad3b5cfc9d12b520d97fe2600e54ceab72051f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mm3Mu81.exe

Filesize
156KB

MD5
bfd0d9fca06df138a4edc75ce971610d

SHA1
fc4053023c873e187beccec4fea871e94c4a63b6

SHA256
072cbc8d0bbaa54038ac449cbd5c2790cb9092150ff0c73a0ca938d5ce173d37

SHA512
84612c13e86726ce588733cbc59c165c2573aa4a8c39dddddac1711011c8e90df5661dc40d622a2c62ed8daea34447aa1b06b9873d65bb0861bc6f4fc7efdba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2NS5898.exe

Filesize
93KB

MD5
bcf415c1f9080b4017a9440e217facd9

SHA1
1f05d862b5f76386972fed76d4090b9299958142

SHA256
e7e83b3042c7a207fbc2932323d386c276f5f9169cd8f87bdf3ab7592be95cea

SHA512
a331cbda6454416055ecfe16eeb0709ae5c4792afa4eca10c83c45b08aff6ae1b52cd3df6da444fc7c9603796e6ad9acda61671f50e1c8b87174f8460b509093

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2NS5898.exe

Filesize
92KB

MD5
a4fc893a76d2a6a210fb3eeb48026ea3

SHA1
0a4ca4a9932ba6c491bed256ef2b5cfaf5437aca

SHA256
fa58959a2d56a827419e7c256cbaeddd5bc18600babee170c1c8645dc2e01dd8

SHA512
7eac3fbf2fd6373a3e63412230f67d4486f39ca70a63a8cb1a9270bee74e233d38255a21de409a3ca6980e3ae413d9b14cab4d4c7d983e0747990e4eaec19c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hI0598.exe

Filesize
64KB

MD5
cb07da10084ad8178d859a199c55ceb8

SHA1
a1bfff40b56b592edba3492e7d153352268d754c

SHA256
89ccb5b939e80e88d10495be69b89912d1619ef869c58551d79f55dcac8a9cde

SHA512
c7d9ad5d0312b27c850cfacc5ba85a672cd0423bad12465783944b9e91ee996fc8db178dda745df2458fdcd388ee8eb179bce11b4f92b234804fb33704df26ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
469KB

MD5
46884ace799c3e693fed5e5be8445f76

SHA1
4ba055e9a1b0295241a294efc8ea20c40612430a

SHA256
11c67e9cae5bf7234c2342ab6f87d2423161ee7bd537e65b4bc2b2481331ca04

SHA512
3455fb7b4b70e3f7766de477a0f685b92d8c942e56079153d7107d4624a929847c15605c7a9cccc259de0793a5a60a2966f83b13686d29780de93e12286b0762

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
320KB

MD5
2c75e5a6a2cca1c46c6a9f10bc23bd8d

SHA1
6a5cf503ea0d1bf962cb1414b2551b5ae73e8bc5

SHA256
fdc055fce9c90462df6a33cec6be99b6524f573adc1bd3e9b7db6b88e670caa4

SHA512
c1d73fd997a7c208c83af93ed7520e22be1f8617c01e1b17f454da038c19545dc1e285ffeca7fd464fbcb4d81f7c591de6cb642c29bac8f80aa570e6aa1364a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
734KB

MD5
61702de473d7800b6965c7a1350ad224

SHA1
787706c5df6d714699979e26fc2b2cd5411c93d6

SHA256
c4a9dcca596ef23e447142440199526a3f3888614d60469e444fdefb80100513

SHA512
3940f8ca45c5cc8c7a87de897db39e4a51dd9613748aac57e9dd4b8e89142f2d2a2e96d61f5624dbc9a63f0585a04eb1a5ddec68baa0962e415bfb5aa4a0c7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oh1qhdre.rk3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4acf2f1-8163-4348-a733-937ed95a2b12.exe

Filesize
51KB

MD5
568c7830dc8608191985873316c7bf5d

SHA1
d1b666f0bb20c42e20d98f445fcab93fb71ede23

SHA256
2f759a34368d8c7405de1b871440ecb35b190f04e7919e40200e03fcdcd6e291

SHA512
cd0bb755f9cc0ec703b199ac4a92197d2086a1cdd5b8085d566248a1676ea1d2b01cf5c78aec7d2cdf4407864db4f8f4a18e00375a143bde326ce5b530df060c

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe

Filesize
218KB

MD5
2eb56f00d879dccbf8721502ca5390be

SHA1
45c089d3f53e5d8a27fc0ba0b69c0d8f28e766c2

SHA256
39e9d41827982b9cdace5b275a2076a9e3ca202fdec61140ed3193033d961953

SHA512
58301b37cc20969a6cd467bdd07fb83e1c9e5f3a61d340417408601f3b84cd133fdce44763c2757b50312da78ffd671346a8e7953a0ce8c97724c9e0bcb4a052

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4K3S3.tmp\tuc4.tmp

Filesize
96KB

MD5
56a1d11fe94063e7e2b9b24840057461

SHA1
8ab3e96c0ef4bb0143c5717cc89fbd8419bd23d8

SHA256
4100382dcf10c8f4575e47e95ecd6997363c842bf885e0deb8a7523a468c5492

SHA512
7a3e9c1d66cf0ca1b59fd432f9f42b3cb8033e99ed5a2a5dcf8b420077394b4a60738271b5b64da00a0f4baca3e5fd5a9b94a9f60e4a2b83b85b6e4566d18e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4K3S3.tmp\tuc4.tmp

Filesize
158KB

MD5
d6d191a9032b5da0f774aede9906984b

SHA1
a8ee68e31d837c86e198be92549af083e3126e75

SHA256
9cc7124904146d6266c974e414b4cbe2df3dc1637f87de2667720b39d3d1933a

SHA512
c9b5c83f420982cb4d2d4a03ae5592905bc57b732835ac05d8a620d07c6e33b2d3bda5d60cfefeb293a0a805212f0aeaf9e1f52eed9fce7e33e319eba9ced843

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FBRV1.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq14EC.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0V7RWJ0PaeVf\15GaPJFcdn5yplaces.sqlite

Filesize
124KB

MD5
4fc68d8673f19c9917ecb73405d886c7

SHA1
87d0370eac406bec80ee408c9a8101fda4e77e4a

SHA256
c273d412877b90eb0d51bcc76614cfc0e97f61629e79f9c12dd4e3327f7beeea

SHA512
6c107ebb405036382cd2c864e93572867f066152b5902159c836000d3eda061995df6335441bbcc7df1ee61b925a0d8bc381db286892251d6968306316e99f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0V7RWJ0PaeVf\SyUSu2JuvNOQWeb Data

Filesize
27KB

MD5
8493694eeceb9e73a33bf1fda4d68fe8

SHA1
980729128700643d128add9216cb72fbab40ab93

SHA256
f5a6e0a814a9207ed2cac8e21b25615c6ba51fa403f35f3f901d52545f75df8d

SHA512
4cf9439e1e1eca752c2059eee4554df11a33272a75ff1ba01937b0650ea3d271e78d37009b7066944093b92cae8216c3bec12c04380d0e04c4435ac1a0ebc109

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0V7RWJ0PaeVf\pg1pPUsjTfLXHistory

Filesize
31KB

MD5
a1cb857f7981ff6c48c40a94acb5e693

SHA1
83e68d3d02490bd7bbff8557359c1b5896e1f77d

SHA256
86dc47fbfbfe1c94b722e3f7dfd146fe6ed7f0ce53cd471cdd8fdb8e9e8a2959

SHA512
18375fc4486eb6270f9b14cf0ff2b96f22869bea0ca8a5f82915ce71091b706e7b117876aa62821ab7a2851590e82a4cc8eedceadb00f28f4f0660fa4de5def6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0V7RWJ0PaeVf\sqlite3.dll

Filesize
8KB

MD5
38a84c588116319fc3a335dcae640b55

SHA1
24f6c39f806ecf47738916c9238852864615cc53

SHA256
6dbd0367db69c1dda261bd82ae095e3613645c8914313f3dc417ecfc11e01ec9

SHA512
823e7346a6bdfa3ed2cf8a3d20162014cf57331ad4d3c3b2ab9879ea2704efb806d6e6367928b72d47d3ad67669eea247f84a0e56249c9a8e612468d2b3adbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVS0V7RWJ0PaeVf\zSxc3NJM2IIfLogin Data

Filesize
23KB

MD5
2df9407adced82acbc0b29b90368ac91

SHA1
b871472f4032dca3ac579eb9cc3c5a3f9c04a8aa

SHA256
e24329591e336b0defd035382b95499fd947ae9c4ccbcda03c8790be4d9a5925

SHA512
54831292b50dae73121ef90959a215e797e736b84225e9d755b9a0a097bf25d980b93421c822105ed94535a1d70048d5a88a566c1ed79c9cb36394274ca3e781

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSpDRDlnYQ54UG\8yTlIliNPWByWeb Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSpDRDlnYQ54UG\sqlite3.dll

Filesize
369KB

MD5
e7018894f334246645b33e74597f66ba

SHA1
8afad01f07b787541cfbee6eca785c4f5f81284e

SHA256
53018da60186d3b5ee060c85367060d904d19c6e8c7807c064aded660668fe53

SHA512
47269ee46e77eb060943d4184699fba6ca488cc378bcf4f2e02ee895e901182001a2e47a82528cef4ecd98177ddc80587dca8d2fc35963835e7f2605e4884f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSpDRDlnYQ54UG\zL2juged0CZRWeb Data

Filesize
92KB

MD5
17a7df30f13c3da857d658cacd4d32b5

SHA1
a7263013b088e677410d35f4cc4df02514cb898c

SHA256
c44cbdf2dbfb3ea10d471fa39c9b63e6e2fc00f1add109d51419b208a426f4d0

SHA512
ea96cc3e2a44d2adeca4ecb4b8875a808ef041a6a5b4ae77b6bfd1600dd31f449b51b1a5997064c43e5111861ac4e3bc40a55db6a39d6323c0b00ff26d113b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempCMS0V7RWJ0PaeVf\Cookies\Edge_Default.txt

Filesize
1KB

MD5
a1b4e1c796b2094369d1e7f0cd01609f

SHA1
57cc80c1f39cd60a622217798e8ba6153293e564

SHA256
9003287d8c3d050b8005a6267030d5bf91d6b5d74a70cdb11e9c001232190352

SHA512
cb4573f1ef386a4efcf0cf304cd3ccc78b5d69471b1e24f9cfd10827b78ed2bfa458167444dddbb9b160af8f842e90a06cb31a3eaefbf7c19b88928a544e7ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe

Filesize
64KB

MD5
30a23f58ddd37564b5fba0c2eebfb0ef

SHA1
d78608e792b67b745c68f42b2c261c61af53464e

SHA256
430b02fff89b7c3b5e1307b3760ec34095ccfdac7bbf4b28c0d66b042b340120

SHA512
e2274a98423c6998b429738778c91dfeced068f1f8ac5d26822c44335b889165582a22e1f1e056819830baf18def81e244955e67ab1ac03080b735f22129a7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe

Filesize
31KB

MD5
9bef7a5204cc50683d7ce38cdcdbd0bc

SHA1
80eff4bdedacce1378c57ecd099903754485919a

SHA256
72c7f3c52e3391be3b0effbf277d6b489615035cb930c9f2cf7557d51fc4d486

SHA512
384a985c70b291ff6b96788bedbe412fc4c90ffaed96289c2f0968206f60dd2280592cb376baeeaa4931416827f018278368336aef6ec48ab4f245d05ba924c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe

Filesize
334KB

MD5
cec7f9a4b832fd6dfc9e3337d032ef62

SHA1
7822664b479853c26522a8f647dec978bd5de4e7

SHA256
0c59ad13f00698ae0aca9bbeff00233ad1a62bc8797674e2cb54f2d1d7c68d4e

SHA512
a54883ae80596e0559861c0e24f0fba84908540e43d0d5e989ad4d67b5a50cfc516840f52aaf0e2ac3bd11471e79c62a38835002b8f038b0f3d83fda9d08df33

Download Submit
memory/208-1204-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/208-748-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/312-1425-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1688-554-0x0000000000900000-0x0000000000D5E000-memory.dmp

Filesize
4.4MB

Download
memory/1688-65-0x0000000000900000-0x0000000000D5E000-memory.dmp

Filesize
4.4MB

Download
memory/1688-82-0x0000000008850000-0x00000000088C6000-memory.dmp

Filesize
472KB

Download
memory/1688-29-0x0000000000900000-0x0000000000D5E000-memory.dmp

Filesize
4.4MB

Download
memory/1688-70-0x0000000000900000-0x0000000000D5E000-memory.dmp

Filesize
4.4MB

Download
memory/1688-507-0x0000000000900000-0x0000000000D5E000-memory.dmp

Filesize
4.4MB

Download
memory/1688-447-0x000000000A750000-0x000000000AAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-426-0x000000000A150000-0x000000000A16E000-memory.dmp

Filesize
120KB

Download
memory/1804-826-0x0000000004360000-0x0000000004F88000-memory.dmp

Filesize
12.2MB

Download
memory/1804-896-0x0000000003090000-0x00000000030CA000-memory.dmp

Filesize
232KB

Download
memory/1804-807-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1804-777-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2720-1457-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-1458-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-1460-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2884-1168-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2884-707-0x0000000002B60000-0x0000000002F59000-memory.dmp

Filesize
4.0MB

Download
memory/2884-1325-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2884-712-0x0000000002F60000-0x000000000384B000-memory.dmp

Filesize
8.9MB

Download
memory/2884-715-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3456-1131-0x0000000007A30000-0x0000000007A46000-memory.dmp

Filesize
88KB

Download
memory/3456-583-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/3604-704-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3604-698-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3604-1145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3672-1197-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3672-1185-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4692-688-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4692-1166-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4692-750-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/5544-1362-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5544-1429-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5800-179-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/5800-158-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/5800-98-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/5800-100-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5800-101-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/5800-99-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5800-104-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/5800-108-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/5800-116-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/5800-105-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/5800-97-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/5800-117-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/5800-127-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download
memory/5800-143-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

Filesize
64KB

Download
memory/5800-148-0x0000000070020000-0x000000007006C000-memory.dmp

Filesize
304KB

Download
memory/5800-160-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5800-161-0x0000000007450000-0x00000000074F3000-memory.dmp

Filesize
652KB

Download
memory/5800-159-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5800-163-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/5800-164-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/5800-144-0x0000000007410000-0x0000000007442000-memory.dmp

Filesize
200KB

Download
memory/5800-177-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/5800-210-0x0000000007770000-0x0000000007781000-memory.dmp

Filesize
68KB

Download
memory/5800-228-0x00000000077A0000-0x00000000077AE000-memory.dmp

Filesize
56KB

Download
memory/5800-229-0x00000000077B0000-0x00000000077C4000-memory.dmp

Filesize
80KB

Download
memory/5800-230-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/5800-235-0x0000000007890000-0x0000000007898000-memory.dmp

Filesize
32KB

Download
memory/5800-346-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/6180-690-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/6180-696-0x0000000001F50000-0x0000000001F59000-memory.dmp

Filesize
36KB

Download
memory/6264-1364-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6364-624-0x0000000000370000-0x000000000164E000-memory.dmp

Filesize
18.9MB

Download
memory/6364-623-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/6364-755-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/6364-745-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/6708-1440-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6708-1438-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6708-1437-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6708-1452-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6880-697-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6904-716-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/6904-714-0x00000000002A0000-0x0000000000354000-memory.dmp

Filesize
720KB

Download
memory/6904-720-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/6904-803-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/6904-717-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/6904-746-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/6932-562-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/6932-561-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/6932-560-0x00000000026C0000-0x000000000273C000-memory.dmp

Filesize
496KB

Download
memory/6932-559-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/7048-738-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/7048-751-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/7048-802-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/7048-872-0x00000000062B0000-0x00000000063BA000-memory.dmp

Filesize
1.0MB

Download
memory/7048-829-0x0000000006610000-0x0000000006C28000-memory.dmp

Filesize
6.1MB

Download
memory/7048-815-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/7048-749-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/7048-784-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/7076-566-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/7076-585-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download