lumma | 74eb04510acd0fe398db8b3a961d44f93d665d7e6b3e3ad56e8e011794f2b8f9

Analysis

max time kernel
1s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe
Size

2.5MB
MD5

a64d3efdffb5db4a80213b196c336f83
SHA1

06e844ad84ae392b4663996f8352a2e3923d0515
SHA256

b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd
SHA512

8913d10e7a2ea74bf77fa0d057065110ffffa3d4b12f8197240ffc65a1d040cb1cc45262a01c55e61ea0a1abeeb231b5a61a1f7e55d40d4caccf8e5f30bf3eeb
SSDEEP

49152:iGtKtH2262oFyWcJEgpjlVoyIY04Inxuhbaxzqjxoy0p+pPvT+L0uHEqPpQ5XaWf:PG2+EyWcJEPynNSultYaXT+QmREXaa

Score

10^/10

lumma redline smokeloader stealc zgrat 777 livetraffic up3 backdoor evasion infostealer persistence rat stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Extracted

Family

stealc

http://5.42.66.57

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

lumma

http://soupinterestoe.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2100-557-0x0000000002580000-0x00000000025FC000-memory.dmp	family_lumma_v4
behavioral2/memory/2100-558-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/2100-559-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5828-864-0x0000000000B90000-0x0000000000C44000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5848-902-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral2/memory/3744-1497-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5852 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

RK0jJ97.exeNU8VV81.exe2LV4887.exe

pid process

212 RK0jJ97.exe
444 NU8VV81.exe
2872 2LV4887.exe

pid	process
5852	netsh.exe

pid	process
212	RK0jJ97.exe
444	NU8VV81.exe
2872	2LV4887.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4236-1551-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exeRK0jJ97.exeNU8VV81.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RK0jJ97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NU8VV81.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2LV4887.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2LV4887.exe	autoit_exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4288 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5876 2968 WerFault.exe 5BE9VW3.exe
1936 2100 WerFault.exe 6ha7Tt3.exe
3512 1072 WerFault.exe toolspub2.exe

pid	process
4288	sc.exe

pid	pid_target	process	target process
5876	2968	WerFault.exe	5BE9VW3.exe
1936	2100	WerFault.exe	6ha7Tt3.exe
3512	1072	WerFault.exe	toolspub2.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5564 schtasks.exe
2924 schtasks.exe
5920 schtasks.exe
2776 schtasks.exe
Runs net.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2LV4887.exe

pid process

2872 2LV4887.exe
2872 2LV4887.exe
2872 2LV4887.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2LV4887.exe

pid process

2872 2LV4887.exe
2872 2LV4887.exe
2872 2LV4887.exe

pid	process
5564	schtasks.exe
2924	schtasks.exe
5920	schtasks.exe
2776	schtasks.exe

pid	process
2872	2LV4887.exe
2872	2LV4887.exe
2872	2LV4887.exe

pid	process
2872	2LV4887.exe
2872	2LV4887.exe
2872	2LV4887.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exeRK0jJ97.exeNU8VV81.exe2LV4887.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2216 wrote to memory of 212	2216	b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe	RK0jJ97.exe
PID 2216 wrote to memory of 212	2216	b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe	RK0jJ97.exe
PID 2216 wrote to memory of 212	2216	b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe	RK0jJ97.exe
PID 212 wrote to memory of 444	212	RK0jJ97.exe	NU8VV81.exe
PID 212 wrote to memory of 444	212	RK0jJ97.exe	NU8VV81.exe
PID 212 wrote to memory of 444	212	RK0jJ97.exe	NU8VV81.exe
PID 444 wrote to memory of 2872	444	NU8VV81.exe	2LV4887.exe
PID 444 wrote to memory of 2872	444	NU8VV81.exe	2LV4887.exe
PID 444 wrote to memory of 2872	444	NU8VV81.exe	2LV4887.exe
PID 2872 wrote to memory of 1504	2872	2LV4887.exe	msedge.exe
PID 2872 wrote to memory of 1504	2872	2LV4887.exe	msedge.exe
PID 1504 wrote to memory of 920	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 920	1504	msedge.exe	msedge.exe
PID 2872 wrote to memory of 4604	2872	2LV4887.exe	msedge.exe
PID 2872 wrote to memory of 4604	2872	2LV4887.exe	msedge.exe
PID 4604 wrote to memory of 2292	4604	msedge.exe	msedge.exe
PID 4604 wrote to memory of 2292	4604	msedge.exe	msedge.exe
PID 2872 wrote to memory of 4892	2872	2LV4887.exe	msedge.exe
PID 2872 wrote to memory of 4892	2872	2LV4887.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe
"C:\Users\Admin\AppData\Local\Temp\b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RK0jJ97.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RK0jJ97.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ha7Tt3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ha7Tt3.exe
3⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 864
4⤵
- Program crash
PID:1936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7SV4qS88.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7SV4qS88.exe
2⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2LV4887.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2LV4887.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
3⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
3⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
3⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
3⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
3⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
3⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
3⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
3⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5592 /prefetch:8
3⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 /prefetch:8
3⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
3⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
3⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
3⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
3⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
3⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
3⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2272481338774485639,7595228301030257248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
3⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NU8VV81.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NU8VV81.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BE9VW3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BE9VW3.exe
2⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
3⤵
PID:5468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5564

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
3⤵
PID:856

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 3064
3⤵
- Program crash
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,15132772690614657784,13632384538771629032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
1⤵
PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,8265818366975145180,845855493515138412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
1⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8265818366975145180,845855493515138412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
1⤵
PID:5220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4e8
1⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,15132772690614657784,13632384538771629032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
1⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
1⤵
PID:920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2968 -ip 2968
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2100 -ip 2100
1⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\E73E.exe
C:\Users\Admin\AppData\Local\Temp\E73E.exe
1⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
4⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
4⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
4⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
4⤵
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
4⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
4⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
4⤵
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
4⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
4⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
4⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
4⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16737083709081352333,885210093314291121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
4⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\FE03.exe
C:\Users\Admin\AppData\Local\Temp\FE03.exe
1⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\nsc16BD.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsc16BD.tmp.exe
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:5568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5248

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:5728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3264

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:5748

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:5920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3584

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:5928

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:4288

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\is-7H04H.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7H04H.tmp\tuc4.tmp" /SL5="$1201C8,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:3556

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:5004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:5148

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:2100

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
4⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\4CB.exe
C:\Users\Admin\AppData\Local\Temp\4CB.exe
1⤵
PID:5828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
4⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
4⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
4⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
4⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
4⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
4⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
4⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
4⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
4⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
4⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
4⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3557573354682802207,3651771621571811800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
4⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 332
2⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1072 -ip 1072
1⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5588

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6FDA.bat" "
1⤵
PID:5292

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7162.bat" "
1⤵
PID:6068

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ccbb46f8,0x7ff9ccbb4708,0x7ff9ccbb4718
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5432

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\947B.exe
C:\Users\Admin\AppData\Local\Temp\947B.exe
1⤵
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bytematrix74\Bytematrix74.exe
Filesize
198KB

MD5
19f59c698cec01521b0537fb5ec3db70

SHA1
86cd5fab7ecb4c1172f4de1fb53ec3311231787b

SHA256
38fa1d7322ddca59a7401f763023d5eb37d97f571a1a73fb81795badf70f709c

SHA512
c50b15070879275cf7d10272420637405dee48de96936179fdf8485e2d0acaafa664d75dab8d861cb9c6019549e18f4a9b339752c39c22fae017f8f4492c9213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4a7e054ff36f584b0272e61b1d9ffefa

SHA1
fabdad5da7b3a4e635dc49cd2e7f07bebb9012a7

SHA256
e3365d241927509711527adc0edbb3f2a0da996c59b14bcdeb78288934096686

SHA512
53b101f4bd311ba8fade73521a363bd7e65d43158d9ce0a370ff1e9ecacbfe2a42d34b56aed024653b5b49052bd7bcf8b8259fa2d70a5e9aaf9519dee0204ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
25315820c89b2a139048e92dc7aeb145

SHA1
49a2aaa85f6361efb02cd57da973deb105fa3d28

SHA256
85108425d74bf1ed9cf5e28698168c158bae603994a58c11b162afe6ca526d58

SHA512
504e01e69643f6ee5ee5227f007bf8dc9dd9389c63b368c41f59048e9a344d464ed10e08591809d134731e4ec53dfe15bf70306ed204ffbd46cb831f8b11f7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ce94360a0267af7bd2e97117da7c1fa

SHA1
28330c69737fc4e77bc501ecc988a6a6cb8db5a3

SHA256
d38c802f51e2144955f151846c640349d7cf4b158752aaaa4c841f81f850a470

SHA512
a3e0eac276575aade49a4f32972883b8ccc4f505cc146ca16726d46d85b5fde33e8bce293233b72b606805979fbbb9c47fa873d372dfa9cc474619207edcde90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0bd5c93de6441cd85df33f5858ead08c

SHA1
c9e9a6c225ae958d5725537fac596b4d89ccb621

SHA256
6e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2

SHA512
19073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
c6eda62168599a8adc8dbebf3bf77ca5

SHA1
b8a36a182769887ed850241328ddf7c69a210818

SHA256
18812405d293302b2e227a45867b87fc1a1cd8d6cdf6ec5d966ac4b5f3d4b1a7

SHA512
e54db1df8ba926d2a6d9000f41466ab71bcde3a5511ea2e59ce0971a1a398c7e1b7b49bfcc9eb4a74af1c17af8d0681e5f7de61ec3a4658784d729e15e61476a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
624B

MD5
532a28399d4eac4565674b0f81fa1eaa

SHA1
1bb9e2b46a86653369188ba2232d1151aca6aa7b

SHA256
ae4d2e5f82c7ab22ad3aa0ffa4514211b4137d3f2e2baf0414d65066d1a1e778

SHA512
2cfaa4aac1805b4d384a0ebf4f1d158f909194aaff3cdfad137c53f469b8d1838d5b1bed891a6c1937f92ceaeb1985c2089ae611af174ce9cb421f332d91bc4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
ef818e616c0ce7d789bdbd8c2a858f7c

SHA1
98d1cafe4072ad23a5a181720e19e3e4a860bc89

SHA256
40bcf59ce91a13c424c213741b3e8944e45de9e2f014e234504290326f28974a

SHA512
41e12223d28542e45dbd19997036ac876eececbbb41026293c3cf74461d9fd4824c294f3c06bd3eb50d197a2abe782c578c6e259ccff67bfa5cd17e35bf11129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
67c2560a46f5d2389c63294dcf438b7d

SHA1
c979c1caca61726cb9feb4fed1344bcc26bdc6eb

SHA256
4111ac1e6425c4f0b7cdf4198912133b8d661f1e7f4d68cff770b27fd0b7523a

SHA512
ec50b8eafd5042c20df10e2efce6ee1398473882d628a65c622e98717925bd9ef77614c898fd306c095067d9114f8c34f4d81c04a407b5f919d0f53138e84de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
517780e6349f4b6cdec088b1b038a64a

SHA1
aefbd730b09e2e175a43d7bf8c734deee0a0be84

SHA256
1bef2de7d5a396f23276b53240bd865b16e200229986a916ee9c70414a6d2a88

SHA512
5e312b6e4bfc6a5913d810522fbcda37cd9bfef22301a45688d6fe18a0d1b0e3da4c953b4365ded493c7508067d27db23fc903037bdce6e94a95e665dcfaa1e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
63778f38a86b24291332c5fcc32aa05f

SHA1
05e32c6012507cc79966a3ef73c5773aec0bc84e

SHA256
07b8b43e167da761ca901ce96ba2d825b0ffa037488404c75c5c279647303833

SHA512
f8711017812bc6812e989d2eb47c12b61f019130fe6a0450b7b6a63bb25d8003cae437974131a1be6e786aef5210c8a34d7495c418546918b3cade5bce108d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ba192946a02f123d7969fc463c68d6c0

SHA1
b2257f1819a65562d825ae780b0beab63eeab20a

SHA256
35dd864398631d12c844c9605a70e7037c0a5220340f8c739082c39fbe2451c9

SHA512
c6f4b39f99d5ff867156f3fc7d26dcfd54f1cb4f29507db8da03436904ca83182bcc662b6125bc5215730d31531fb35fce645523cec9a021903631234b4fb825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bfe0f5e755e61c5e514f3ae169bad406

SHA1
63882ce574acc21971d292f5709e48862647c123

SHA256
0d18aecac8af61fc61484ceaa736fbcf0c60c03690a7bc3fdff1b3af93be02b1

SHA512
d70882b0cce69d67be5f01a4f2548063e6ec975cdf00067db9622edf044811364b193050f20d031c1b8d50a2c75267c0979f26f9285c8cb54768b8273a093b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b091587b-29d0-4ede-8e24-e3a6f4d9242d\index-dir\the-real-index
Filesize
2KB

MD5
50a666166f78d37f7405fdb771a4897d

SHA1
851eec37cbb91cff02fce12516f46dcb82411b35

SHA256
010469216679ed2d62ac78e032f562f226abc77322db397121b495b090bd5e96

SHA512
86e94e963f6cf5e9614547518a941d9d75693be4bbbbed87fff1136551ea1f9b07d8c0fefebd59d0f8c44eea8ea248fe062aacfe5b33001f829c9f7ea48ac7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b091587b-29d0-4ede-8e24-e3a6f4d9242d\index-dir\the-real-index~RFe57bc0c.TMP
Filesize
48B

MD5
62e3926dcc251e5c37f341ea37a4cfbd

SHA1
67e4687a406d55c0462755b7659a6125ea8b2525

SHA256
fc84221d75ccaa88c8c386c587c3239b20008f986de8234a19aa24fae3e52db0

SHA512
a738d342a45a226183f0cd8afabcf2ddc1cdfbaa6abfebcacec126343aa6da01e24495d6901bdeac4895453876b541b38746ee5289975e4ab33fa47c06be4cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
4788b692319f5ae386998c1a598bcdca

SHA1
a9acb1b6200d869f7c2b85fdb78e71c62fcc27a5

SHA256
59809519dbb27093dcef3a2b15b4a9c5d196574433aac7b9594c2cffade101c4

SHA512
7e91e47cfc7cab28db2f190055dc63f68ed7b7237ea3194e89ff80834c0c17fac446a52a5599946a5a917206609e8705bb24c5d05551a61b87a1c8c814415fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
db37b69b140a20a4e74c51f5296480ba

SHA1
dede6d595cde98fac2a55d378719eb4d5f2fa277

SHA256
76eaeb5787a30be9e3538d64a93ca6b8f01fffa3f64994383b0343a88b1664d3

SHA512
47c8f4ce3a63791a0c1160020b13b77eaba906b4375f0ccaac0be53e8bc659b119984bea57a2dcbf05557330758dba30901f7d90a3c81587c280ef4199203063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
c4d544c072d4f84e78ed9f90cb0eaffc

SHA1
e53ffef23292192d5a8c3ef6c7789d312e78e886

SHA256
e0b96acc80e7d8cf572b05c906271e8b07cdd04ec03eba06c383548dcf91238f

SHA512
d936ffb33006526b92ef3367cbe0ae8eec8b47644e7d368d77d1db10fcd05fd22fa9f71eafbf5db31318dede035a1e4533751c42dbcd1f9f6b0e98703a15c434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b621.TMP
Filesize
48B

MD5
a9f70564e700943c5bdbdd03c2fedd35

SHA1
addcb4bb0599a35304cf961c74499b0c5ea82ce7

SHA256
b877cdb9508b1f1bc85edd74b411303c50b276756d19f81ec99d9244369199c0

SHA512
5edd977f2c218b159d4e3abb6c1626fc06b137b045dd08aedbdc6358a6a68014d3f4d590b44e234340a137b95859d5289b38ac77a12b6a6ed980b18096d158b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c2fb268991b08f4e4ca38bca9353db9c

SHA1
d8df970206b27858eccbde2fe58ce7ce3b5ea6b8

SHA256
adc7bb0eef8710e09cefe08bb6e7da29ef565549f0437adbef249b080a49666a

SHA512
1202d5fe09a028011da3cc099d3fc97406eff1651293f6102b12b5c3fac582920572ee7370d81505abcfdb89a6758ea72738074b3d456d65fbf0e7c7dfb6b08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2e7303ee14f2dd2b1e502eb93aab6f28

SHA1
6dc0fa54d80c272ad7665203e6fa5c58c68baf95

SHA256
f492789c084e767c1483f5bbed609d54693d9c8cc3d40051175fb5f6d01f5c4e

SHA512
353e63108793df63df87f1bc7e344e5c7bbbf3b9c941084d39f477b431648ba912aa8281101d531ddea39e06fd6ee1587788418adeb09f0384c5231924166399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f3c0b2abd712d414f7aa0a16bf850b38

SHA1
4e90316d0d52bbed501521e9d2ce50d8e6400968

SHA256
68bff02f083e18495b90c21eea0af71d405244d947a2638af7c8c55c55862b04

SHA512
5008a1e1a49bb064b70f8d6aa3d4041480100c9ebac9d486ebd9a52afc26cb1b0c99de21ece174b9e7da8ad6280887d372712916ff81ce14e28c7132758bd81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
1KB

MD5
16e5c7e9e7656649e7ae94924b7d87db

SHA1
26b93270a0b4cdd7c03f14d17d53eaabb31b9aeb

SHA256
d41a29136ffabddac23cde56d14d9a2793bbd4169dbaa72e0a1f69243d7d45d4

SHA512
0479591353c841426710b8609ce26aebdca17e8f8a5c234d583b679c8341b6e144faac486ccef6337939df4149b13dc99997e5e7c4ca24105bb21c7452ea015a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ec653aa3-411b-4dde-a0b2-c0a7e12e3225.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
465b028e7c80e78eb714bda40c72d9c8

SHA1
d958219d9c4531f6e097eb2be95a1c615f2a1129

SHA256
6e899832448be97b66bf868209234e519a571c26c3de87c6fc9584c82996adab

SHA512
29a5bcc8ac386b4eacb0e65a876b39a33aa0b1908ee4f0c30b74bb6eca8b7a99dce72f1098c813b40fd26334577d2f8d6c6bf3bcf497e05a9cb05b6f583d9150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ba37c11810bdf0305e317fff0d75058f

SHA1
f16e0856f293069e241b88f56510c24ab086fb81

SHA256
68e6c53271c70d4fbb085b664b0a270177ec28dbd72c7f0f3e05342e2902da8d

SHA512
b5ddcde0197c1cf9cbe6daaa522e694d528864601360291c271439ec5e77ed23a37e93d2276809efd79cd4a55dff3182b6bbe6547b6c41407b9f3c8272d74fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a533ac8fa53716325db802ff393cfce6

SHA1
4f5a6014e86436f4dab70961656f9c7a4c20c68d

SHA256
717b354d484aac8a4cd7629869a9b2e96f2fedc3b3a10bf43988f05810861c09

SHA512
3c913e7f730ebc0f651901c960f51af28a37cc6981fc524499e6877cd2275ede15abb96a430bea48cbb6662158116cee6d6771cc441e89f2ef39161a1d9a64d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7162.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
247KB

MD5
2284aa0b4eeca5fa90481a464d77c43b

SHA1
e4297d660c2a61f675ab5b308938f3ba82a2c7b3

SHA256
4a4c439c6a844a46c1f89b7bd6b47999e357d495ac1cde4d9126ed7cccd45e2b

SHA512
0353ae0fc22533893dee08be4451149517e6e3e08d86b6eb4dbf3afebc8cdef0bc0fdd6262252ce83922a5063b7a6796224b9921cf1ca20e33964b6bc628180f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E73E.exe
Filesize
44KB

MD5
98a7b94a723936af0288de461528437f

SHA1
5d4734982b047ad6284568f201882e66da286f3c

SHA256
4f6f42e45b325cff66e7168fece3c8c1d428c7a3b936822e308913f58572672a

SHA512
44bc9c7b1cd5165004000c64247c612f8e3d26949de25176005b9bce3d0482dfe8861c537151c47f8e44065962f5ce75079628fce9feada197b66333b0a72030

Download Submit
C:\Users\Admin\AppData\Local\Temp\E73E.exe
Filesize
93KB

MD5
201750ee4ad298d1bc2a2783964881e7

SHA1
ad86d4eb39f515d5a74f6e8aef3bdd70ca2d72a1

SHA256
91c77bef50c85a2c233af58127642e503135451b67caac7650c081535ff05e38

SHA512
f39216065d440723719986c87e5500d611d8fb2b9e0b8c7e04c585ee50a70d4d420b45aa70af792d27d3bca3888f98a0e74bf5e1dffe152e610613cc1cf28e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE03.exe
Filesize
853KB

MD5
cd8f131e93086a09aa6977ab57b9eb61

SHA1
6aa08d87db61a63b251cabad382825fb44ba7a2d

SHA256
4e50b8ccf3290db2536f6447ccfe295c9274583148257251558b62c43327f72e

SHA512
92e19239839fd9749b31fadcb94e71d7fbe42961cd67960da6b9aec507c19cc97e539167dfd2be77aa89faa8c93628d22fdec902f968089f861e52b8e20d46df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE03.exe
Filesize
82KB

MD5
23017d52d2396be4c55c6d61e4d14393

SHA1
79198ddfca6ded7e0f4bf3a25919c599f67e2df8

SHA256
ca3433fa997ed55385e69cb99055a9b606ab78e1c2dad55f0d052ddf9f3c41a4

SHA512
62210e336db58ce2010e8c90ca9d6fa01a00d57cd3d439baa6e2d873dcd8ba4566519de6aaf3d13ea376b428e76d63acc490973cab79fc7bfb8c7f2468809872

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7SV4qS88.exe
Filesize
38KB

MD5
66cb3439d8a71cafb827fd2d162e6f80

SHA1
e0b2cb0461eb4d3a0907b7d4eb4a21ab7cc10b21

SHA256
d658604ac3e40c6835c9b9a574db49846a847d26e991fc9e3ea0757cccbe1ada

SHA512
cc17bcb353a00652150de2ac9e3cb5051b37916e60554ac41d753508db6e2146855f0dcf3250ec6ceb907d29b4bdaa13297f44c6e2abd7592f0392952aba9dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RK0jJ97.exe
Filesize
346KB

MD5
546556ef3bf5a4b1ce49e5b7f9146903

SHA1
9adae17f73a241a29e2a674dc9c306a19c571a8f

SHA256
b44ceb1dab81cd7ea64c4a7f2ddd6d5e036dfe7420f83bf763872e2a077ca957

SHA512
969505dc56d07e3c4abdf11834bfdd3e9ab1a5816df1251fa8ed8801536696e25c5bad1a15bfa18637827627500e548aff16cc9f135aa11036c3af73c8f5f6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RK0jJ97.exe
Filesize
232KB

MD5
b39b3ca0a077db64c853489f5381976c

SHA1
c498083990c289c150cfadb743a19f63bd5259c3

SHA256
dfcc886d5154af6899eca304fe10eb913fd0d36bf502d7d73d0bb2b07defeaf3

SHA512
2e79649b5e7b3e4a43b2fb2443ac2ba5e27fc8093c7cd0ec41daadb94f06ba93b821759eec1267aa477c3f39bfddcff56f0e18f4076083f6c8fd619f122c4779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ha7Tt3.exe
Filesize
255KB

MD5
af4d21a1730c0febdb636484bdcc3841

SHA1
62bc5eadbf6a175e48af5a39a4e920d2b4104dd3

SHA256
c96061ad167f5d5eb52095f8946b12fd58a10eae187cb80a1acf09c83fba4ea9

SHA512
eefc311014d99a4213d8d024a84f045b9be173cb13143e4accf12bac52ab0978c66cd1cc8f97c1b2ef89cd504c08edd5dab2b3548ebc0de054af349238e76907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ha7Tt3.exe
Filesize
95KB

MD5
d7df9b93d5b3191eeee7b468b489c0f6

SHA1
d7cf780604882919c4fdaa6d049e5a61dff2bd67

SHA256
e617b6c87e3886638d095651ac6cab5cfeae585964a0a6da58239b79579cc696

SHA512
e9432c63b62844151cdf318460d67042eab5480f18274cee900111a23a933073b11c63581f362167de62d028bdca12e1fa6a3b9360eb802b28280788c6d62762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NU8VV81.exe
Filesize
166KB

MD5
06cb823ec83657961e4a01e4440cdc7f

SHA1
79cebcd8bb9b8d28eb1ee3d927211c8ae23cb052

SHA256
55f0c58991eea488df825531f1e541b810c2a728a926ee91344f82add9792de1

SHA512
0bf2c579e21ec1dabc95ea58dbdc9ecad91d09492a8d04bada0490d4f3c4be5d03fbfc869c6207d8dc49989ce9b90fb85885cc28069b209f04db1b48a4566d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NU8VV81.exe
Filesize
155KB

MD5
d41546b229dcea4f067af6ec68795ce2

SHA1
a5cebebfcae2dfdad37f31db6f42eee9b70cb34c

SHA256
c0826345b0795d730251322ee43fb3a011bdfa51b812030f3bb1593e1db1f7d9

SHA512
65f59f31c24dd240aa3f82407b4c1bc512f7c3aa7f7b650163684a210bfba0d0399dcce483b90491f8dd5aba56a8f92530da72901b1ccc0688fbd0558839ca6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2LV4887.exe
Filesize
32KB

MD5
a92cd1cd011ca1d84bc9159666db35cb

SHA1
73ee2db7ff5585424344aad08e6e3e8f29c6f145

SHA256
1dbd4ea72ab96b15f1506edc8aee5e4b9e10e2789f8b26e0e8328139316ace0e

SHA512
aaabb87c14ad258799e4ac4b52ae4351d04b75b0a93d09f496ab1b798bf1ab5ed65b9817f65df441afcad8be32e62eb7196299e8cf1c6f27aaa5e496a3012fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2LV4887.exe
Filesize
92KB

MD5
a4fc893a76d2a6a210fb3eeb48026ea3

SHA1
0a4ca4a9932ba6c491bed256ef2b5cfaf5437aca

SHA256
fa58959a2d56a827419e7c256cbaeddd5bc18600babee170c1c8645dc2e01dd8

SHA512
7eac3fbf2fd6373a3e63412230f67d4486f39ca70a63a8cb1a9270bee74e233d38255a21de409a3ca6980e3ae413d9b14cab4d4c7d983e0747990e4eaec19c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BE9VW3.exe
Filesize
1.5MB

MD5
302fee1f9c5aa09eccc5a6ad51f5007e

SHA1
bc60c16b80d0b8498161a61a9e56d4101a8d0b8a

SHA256
3e67c6c32acb0dee0014f749ecfe30f5862676c7db978cc442c8eb3c4237c7b0

SHA512
163559815db8f14f86076e6d3b6af277bfd7f13af83ebe961d9275a037bbd8579c2955a653311d937be50963f8528f2703384d350248d35c65877ddc33fa9637

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
124KB

MD5
2f1b5e553cbbd5177c5c32c6d7b0865b

SHA1
1a6e50e1d50f88a1ba25b5ba7127df84f4ee793c

SHA256
e3d9e88a6259564831995ba214ad4b6f210c4d42cc54041b300510b4586dbc43

SHA512
5d60f68a767f313ba89ec78fa18044513bb6e5eb89f2e3cf5c92b6c3f5b92a458e8ab5c4d30e611ee5d9793aaf3bc8f5db7755f93b1ac58cf52dd98bc3183d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
92KB

MD5
3d4e9c6b7c72ef640574cec0a0d63437

SHA1
ae6b23512affb5f2cfbcb81b46c5d6bc0cf0d533

SHA256
f43588d137f5daf9aac7e1ec4670217854c6849056522621a641f9cdbb2c0877

SHA512
0d3b49e38c64f3ed9a6a14b4940f4e6746cd3e69cf2020f14a676ec99cf4d62256d291a1648e9c43ec4f88dd218ca34df1522dd0174ad873016a6033a48d3e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
305KB

MD5
8855dfb39ca29d5a5fedd3cdc0dce0b8

SHA1
bde4bf92a2ecce27be2a54decf6af55a72d5902d

SHA256
3597a750f4cc477542be15a0ff2390063c86c58d0f4c458aa7775f7115ba7d96

SHA512
3fe6149de35aa5e9df9c8356537359afaed35ff3d36f517e250692b3a310286e7a699c7beb669d289511adf3190f0b170c7b3c5c68313764e8dd638cfc5e4bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
76KB

MD5
ae4f61087584455179a69ca03d36b63c

SHA1
31ff15e1b523c21f72bbfd54cad48b3d357c6a91

SHA256
c3ba89179725fcb91f60683c1a306ae95d475650fe2e0068286797467a9daa28

SHA512
853b6c0ea5612559d6b63dc51496a24d9e312586d3ad4a368d264b9eec62d16b6d000913055deac726c0f4b28be6044d355ba9e791472ca40369cfe48b42372b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7H04H.tmp\tuc4.tmp
Filesize
164KB

MD5
9b4ebfa08d2ee903de10bdcaca4a534a

SHA1
c0376e7c9787ed281ed12b453886e36fe9a3c048

SHA256
08c7f3ff9ee6c2cc7fb7aaebbc532f2f9140edd538ae0fd9cdb1cc3d7423bf31

SHA512
e7b8e8ebbfd2dcbe83fb39674eed11d86c234852c356cb197a6f8e6a79119ee07b26076f212470b9f186af121ce3cdda75b39caecae59e1d1f6c4a4e840ea376

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3DF.tmp\Checker.dll
Filesize
41KB

MD5
8dcc038ce15a235ea9e22fc9663e4c40

SHA1
cc702c128e3035d42220bd504d6c061967d3726f

SHA256
64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

SHA512
bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk3DF.tmp\Zip.dll
Filesize
76KB

MD5
0f459c2bd249a8b1f4b1b598d8e5299d

SHA1
ca47103107cd686d002cb1c3f362efc5750bfeb4

SHA256
acd3d2b809c320bb8b93385212bac23536bd6894e8e2638a5e85468ccd54fb3b

SHA512
1a7e6e48ee9d966a59082f2ad3b6405d8bbdc1a45f54dec1de9fd1a16b34bb0dc422683ecffd5dfb484db3c5c42caea410d49debeae50ba3979520834212afe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst27.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSjuEf6Ufw2n30\3i0Fvd2grh8DWeb Data
Filesize
7KB

MD5
9132bfc00cb237c739cd00beae2acfb9

SHA1
03bd491db8753b9d210a49f13ecf3975e4770cfd

SHA256
281029eadf3b05a6ed7c4b06de19f8fb73046a782f4a2d4ada5383fcd4a3a6e9

SHA512
5d44d05be7d470ba32f38085ea806daff5d4b593dffa45bd84b073acc23312ba9d4fb04948a1ab7201eff850dbecce863e5bb6ce5a8bf3d733eaab4efe16689d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSjuEf6Ufw2n30\LGnvWbnjo4HCWeb Data
Filesize
5KB

MD5
ee05fca7cc9cb824da2285521fa89bc1

SHA1
52cf608e093b47958093d1e66efbe79e7e040555

SHA256
b52e303a5e537988f8a7028cd39e69b9377be053cf517d7f02b345e8134cde5c

SHA512
ad688fc04a1e745f05bc74312613d679ed5348913d4a6fbe18fe5b4f6ab6e9a7c412dccbb30282a477ed2fdda5af4c5eb79172766498df92b7dbad6dd705fb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSjuEf6Ufw2n30\sqlite3.dll
Filesize
64KB

MD5
07fd0f8f7054423373cfb07b15d93b63

SHA1
6b089eda711b88e38a92f7145cf2bfc7f528f85a

SHA256
df7a699b3470029fe7c554272104c37234994e7f8cba81c359a02154417602f4

SHA512
fdcf4f632b199979fc9a9d34a2518977e941ffa1778f1840e6688541369adbe1788764db0d0faadf5a931f55b2e2b1a88697abf6b6834fd29c1238838acb6d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
244KB

MD5
53dfdf8b917a686fa14c7d238df26ae1

SHA1
934d0ac683a6697d5b3729cb237c2999a05e602b

SHA256
2a9d5f49609d33b83b492a771a8ab3fed26938e2589da4a93f16aa5ddfb573ce

SHA512
87aa452bdb001bb0c683963065c8fea16828ffd52e0ed755098e277663229280d8f12e0bb8268703fd618f00489033dc21150a8b67a2598c92609b432854adf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
74KB

MD5
7de198b14c35f43b76dc2e07170d2665

SHA1
b5a8dbe8a1c95519d1cdae7f7710fee92907f18d

SHA256
e8023137f735974267e68984c3fa2f330648727f12da5ff2c40892b6f8222fcb

SHA512
b826de97c616ed69583788ed0d7ad5c05f637f70cd345cb5dd9fbb8cf5794afbcf9bb3d56107f6a07e0713aacca4c9fb8342cb8a4679a1624f547e532133dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
224KB

MD5
85ff0f8a8f601b6adfdc2e4292c96998

SHA1
5877b113ce98e7fcd9ac372dabb9a58cb91c01ae

SHA256
cf24bd0e0f0032a517928c190e4198e41749c39ad096985d07a02815a04f7346

SHA512
235fec57ec4ec029078698c7895019077a28dc6ab0cc461f74ac6609d94d8078c49ec26ca46be56b41c98aab307fc8df0282e78ba9886950cfbb8b67e4b85de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
63KB

MD5
2f355df82d654a343b63f1d31fd35b84

SHA1
c0e5d5fd69a2cdc796d9d636b7243e2b14805383

SHA256
a906314b974391dd075838a732071e39c993ae2254ecd27eba8c7306d5067e7e

SHA512
295df0d0358aece4b245ad615b1cc8c480bcdcb2976ef4ab554bf7abf76b562f76586ea06dab72f16e3397eb0ea2eb8f51fc740f1b224cd4f5bb1a68feb48c3b

Download Submit
memory/540-1564-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/1072-746-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1072-738-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1072-1189-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-1405-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1392-817-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1392-669-0x0000000000E70000-0x0000000001236000-memory.dmp

Filesize
3.8MB

Download
memory/1392-670-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1392-671-0x0000000005B30000-0x0000000005BCC000-memory.dmp

Filesize
624KB

Download
memory/2100-557-0x0000000002580000-0x00000000025FC000-memory.dmp

Filesize
496KB

Download
memory/2100-558-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2100-556-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/2100-559-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2100-1217-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2100-1213-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2456-758-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2456-903-0x0000000002960000-0x000000000299A000-memory.dmp

Filesize
232KB

Download
memory/2456-832-0x00000000044D0000-0x00000000050F8000-memory.dmp

Filesize
12.2MB

Download
memory/2456-792-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2724-1404-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2724-1514-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2880-1238-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2880-904-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2880-723-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2968-551-0x00000000005A0000-0x00000000009FE000-memory.dmp

Filesize
4.4MB

Download
memory/2968-428-0x000000000A060000-0x000000000A07E000-memory.dmp

Filesize
120KB

Download
memory/2968-39-0x00000000005A0000-0x00000000009FE000-memory.dmp

Filesize
4.4MB

Download
memory/2968-56-0x00000000005A0000-0x00000000009FE000-memory.dmp

Filesize
4.4MB

Download
memory/2968-451-0x00000000005A0000-0x00000000009FE000-memory.dmp

Filesize
4.4MB

Download
memory/2968-58-0x00000000005A0000-0x00000000009FE000-memory.dmp

Filesize
4.4MB

Download
memory/2968-452-0x000000000A570000-0x000000000A8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-90-0x0000000008760000-0x00000000087D6000-memory.dmp

Filesize
472KB

Download
memory/3492-1175-0x0000000003140000-0x0000000003156000-memory.dmp

Filesize
88KB

Download
memory/3492-580-0x0000000003110000-0x0000000003126000-memory.dmp

Filesize
88KB

Download
memory/3556-1267-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3556-773-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3744-1497-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3828-731-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/3828-734-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/4236-1551-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5232-677-0x00000000009B0000-0x0000000001C8E000-memory.dmp

Filesize
18.9MB

Download
memory/5232-676-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5232-748-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5568-747-0x0000000002A20000-0x0000000002E19000-memory.dmp

Filesize
4.0MB

Download
memory/5568-771-0x0000000002E20000-0x000000000370B000-memory.dmp

Filesize
8.9MB

Download
memory/5568-835-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5568-1239-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5580-350-0x0000000007790000-0x00000000077A4000-memory.dmp

Filesize
80KB

Download
memory/5580-144-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/5580-98-0x0000000004C90000-0x0000000004CC6000-memory.dmp

Filesize
216KB

Download
memory/5580-102-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/5580-104-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/5580-103-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/5580-117-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/5580-101-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5580-124-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/5580-136-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/5580-123-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/5580-143-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/5580-193-0x000000007FA00000-0x000000007FA10000-memory.dmp

Filesize
64KB

Download
memory/5580-192-0x00000000067E0000-0x0000000006812000-memory.dmp

Filesize
200KB

Download
memory/5580-196-0x0000000070750000-0x000000007079C000-memory.dmp

Filesize
304KB

Download
memory/5580-220-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/5580-227-0x0000000007400000-0x00000000074A3000-memory.dmp

Filesize
652KB

Download
memory/5580-364-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5580-351-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/5580-353-0x0000000007870000-0x0000000007878000-memory.dmp

Filesize
32KB

Download
memory/5580-347-0x0000000007780000-0x000000000778E000-memory.dmp

Filesize
56KB

Download
memory/5580-274-0x0000000007750000-0x0000000007761000-memory.dmp

Filesize
68KB

Download
memory/5580-256-0x00000000077D0000-0x0000000007866000-memory.dmp

Filesize
600KB

Download
memory/5580-240-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/5580-236-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/5580-237-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/5728-1565-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5728-1511-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5784-582-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5784-563-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5788-912-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5788-727-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5828-885-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5828-900-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/5828-915-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/5828-884-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5828-901-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5828-905-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5828-864-0x0000000000B90000-0x0000000000C44000-memory.dmp

Filesize
720KB

Download
memory/5848-911-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/5848-916-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/5848-914-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/5848-902-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5848-907-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download