xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
949s
max time network
952s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm discovery execution rat trojan upx

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3524-1-0x00000000002E0000-0x00000000002F8000-memory.dmp	family_xworm
behavioral2/files/0x000d0000000233b9-72.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
4512	powershell.exe
4892	powershell.exe
1280	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wvorwt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	okaxnx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	zzlwlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	yniiro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	zzlwlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	писька чит.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	lbwlpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	faskik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	zzlwlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	zzlwlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	qhgiqv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	yniiro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	yniiro.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Executes dropped EXE 17 IoCs

pid	Process
5320	qhgiqv.exe
6100	faskik.exe
3300	okaxnx.exe
5452	zzlwlp.exe
452	lbwlpq.exe
5420	flkyve.exe
5392	yniiro.exe
3976	zzlwlp.exe
5716	yniiro.exe
5476	yniiro.exe
2344	zzlwlp.exe
6080	zzlwlp.exe
1424	wvorwt.exe
2900	ekqyxs.exe
3432	ltvrwo.exe
4596	ytlcex.exe
1156	zpovyz.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c0000000235d4-1072.dat	upx
behavioral2/memory/452-1076-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/452-1101-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000023607-1356.dat	upx
behavioral2/memory/1424-1358-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/1424-1529-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
280	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzlwlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvorwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekqyxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzlwlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzlwlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytlcex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flkyve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhgiqv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbwlpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yniiro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yniiro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzlwlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faskik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okaxnx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yniiro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	qhgiqv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{352CBC96-7777-4625-81E3-8E779B995022}	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{13EEC630-08EB-47A6-9529-5A9AC40843C2}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{815C0F30-C272-4E59-BF71-747E724353FA}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	zzlwlp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{04AD49BB-922E-43B9-BDBA-4AA9EB9610B7}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	yniiro.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{C4ACD19B-A4AA-42B7-A129-0F0F3F48934A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	okaxnx.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{AFBACC05-91A6-46A7-A974-B44E3A9754FA}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	zzlwlp.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	faskik.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	zzlwlp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{D669082C-063F-41BD-B1CF-CCAE2AEF813D}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	zzlwlp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{8EF07438-A841-43EF-A3CD-7651A648DDC7}	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{49A8C1E1-B56E-4244-8279-0E4A3AE36ACC}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	yniiro.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{2209E67C-0004-4E77-BBA2-164EA40CA731}	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{5B59973E-ABE9-4E3F-9112-8A8EBF5BEACA}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	yniiro.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{0A1A654B-18D1-4F7F-B113-4F7580A67619}	WScript.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 76617.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 957185.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe
4512	powershell.exe
4512	powershell.exe
4892	powershell.exe
4892	powershell.exe
1280	powershell.exe
1280	powershell.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
2172	msedge.exe
2172	msedge.exe
4032	taskmgr.exe
4032	taskmgr.exe
2328	msedge.exe
2328	msedge.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
5460	identity_helper.exe
5460	identity_helper.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4864	msedge.exe
4864	msedge.exe
4032	taskmgr.exe
4032	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4032	taskmgr.exe
3524	писька чит.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	писька чит.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	3524	писька чит.exe
Token: SeDebugPrivilege	4032	taskmgr.exe
Token: SeSystemProfilePrivilege	4032	taskmgr.exe
Token: SeCreateGlobalPrivilege	4032	taskmgr.exe
Token: SeDebugPrivilege	3432	писька чит.exe
Token: SeShutdownPrivilege	4296	WScript.exe
Token: SeCreatePagefilePrivilege	4296	WScript.exe
Token: 33	5128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5128	AUDIODG.EXE
Token: SeShutdownPrivilege	4296	WScript.exe
Token: SeCreatePagefilePrivilege	4296	WScript.exe
Token: SeShutdownPrivilege	5612	WScript.exe
Token: SeCreatePagefilePrivilege	5612	WScript.exe
Token: SeShutdownPrivilege	5612	WScript.exe
Token: SeCreatePagefilePrivilege	5612	WScript.exe
Token: SeShutdownPrivilege	5796	WScript.exe
Token: SeCreatePagefilePrivilege	5796	WScript.exe
Token: SeShutdownPrivilege	5796	WScript.exe
Token: SeCreatePagefilePrivilege	5796	WScript.exe
Token: SeShutdownPrivilege	5508	WScript.exe
Token: SeCreatePagefilePrivilege	5508	WScript.exe
Token: SeShutdownPrivilege	5508	WScript.exe
Token: SeCreatePagefilePrivilege	5508	WScript.exe
Token: SeDebugPrivilege	5364	писька чит.exe
Token: SeDebugPrivilege	3752	писька чит.exe
Token: SeShutdownPrivilege	2752	WScript.exe
Token: SeCreatePagefilePrivilege	2752	WScript.exe
Token: SeShutdownPrivilege	2752	WScript.exe
Token: SeCreatePagefilePrivilege	2752	WScript.exe
Token: SeShutdownPrivilege	3796	WScript.exe
Token: SeCreatePagefilePrivilege	3796	WScript.exe
Token: SeShutdownPrivilege	3796	WScript.exe
Token: SeCreatePagefilePrivilege	3796	WScript.exe
Token: SeShutdownPrivilege	1300	WScript.exe
Token: SeCreatePagefilePrivilege	1300	WScript.exe
Token: SeShutdownPrivilege	1300	WScript.exe
Token: SeCreatePagefilePrivilege	1300	WScript.exe
Token: SeShutdownPrivilege	5700	WScript.exe
Token: SeCreatePagefilePrivilege	5700	WScript.exe
Token: SeShutdownPrivilege	5700	WScript.exe
Token: SeCreatePagefilePrivilege	5700	WScript.exe
Token: SeShutdownPrivilege	2252	WScript.exe
Token: SeCreatePagefilePrivilege	2252	WScript.exe
Token: SeShutdownPrivilege	2252	WScript.exe
Token: SeCreatePagefilePrivilege	2252	WScript.exe
Token: SeShutdownPrivilege	4400	WScript.exe
Token: SeCreatePagefilePrivilege	4400	WScript.exe
Token: SeShutdownPrivilege	4400	WScript.exe
Token: SeCreatePagefilePrivilege	4400	WScript.exe
Token: SeDebugPrivilege	2960	писька чит.exe
Token: SeDebugPrivilege	644	писька чит.exe
Token: SeDebugPrivilege	5688	писька чит.exe
Token: SeDebugPrivilege	2948	писька чит.exe
Token: SeShutdownPrivilege	3000	WScript.exe
Token: SeCreatePagefilePrivilege	3000	WScript.exe
Token: SeShutdownPrivilege	3000	WScript.exe
Token: SeCreatePagefilePrivilege	3000	WScript.exe
Token: 33	1548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1548	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1736	3524	писька чит.exe	93
PID 3524 wrote to memory of 1736	3524	писька чит.exe	93
PID 3524 wrote to memory of 4512	3524	писька чит.exe	95
PID 3524 wrote to memory of 4512	3524	писька чит.exe	95
PID 3524 wrote to memory of 4892	3524	писька чит.exe	98
PID 3524 wrote to memory of 4892	3524	писька чит.exe	98
PID 3524 wrote to memory of 1280	3524	писька чит.exe	100
PID 3524 wrote to memory of 1280	3524	писька чит.exe	100
PID 2328 wrote to memory of 2840	2328	msedge.exe	115
PID 2328 wrote to memory of 2840	2328	msedge.exe	115
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 116	2328	msedge.exe	116
PID 2328 wrote to memory of 2172	2328	msedge.exe	117
PID 2328 wrote to memory of 2172	2328	msedge.exe	117
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118
PID 2328 wrote to memory of 3032	2328	msedge.exe	118

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\qhgiqv.exe
  "C:\Users\Admin\AppData\Local\Temp\qhgiqv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5320
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:5724
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      System Location Discovery: System Language Discovery
      PID:5892
- C:\Users\Admin\AppData\Local\Temp\faskik.exe
  "C:\Users\Admin\AppData\Local\Temp\faskik.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:6100
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- C:\Users\Admin\AppData\Local\Temp\okaxnx.exe
  "C:\Users\Admin\AppData\Local\Temp\okaxnx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3300
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5612
- C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe
  "C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5796
- C:\Users\Admin\AppData\Local\Temp\lbwlpq.exe
  "C:\Users\Admin\AppData\Local\Temp\lbwlpq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:452
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CE00.tmp\CE01.tmp\CE02.bat C:\Users\Admin\AppData\Local\Temp\lbwlpq.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:4924
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\3.VBS"
      4⤵
      Enumerates connected drives
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:5508
- C:\Users\Admin\AppData\Local\Temp\flkyve.exe
  "C:\Users\Admin\AppData\Local\Temp\flkyve.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5420
- C:\Users\Admin\AppData\Local\Temp\yniiro.exe
  "C:\Users\Admin\AppData\Local\Temp\yniiro.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\wvorwt.exe
  "C:\Users\Admin\AppData\Local\Temp\wvorwt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1424
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC4E.tmp\FC4F.tmp\FC60.bat C:\Users\Admin\AppData\Local\Temp\wvorwt.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:5164
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\6.VBS"
      4⤵
      Enumerates connected drives
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- C:\Users\Admin\AppData\Local\Temp\ekqyxs.exe
  "C:\Users\Admin\AppData\Local\Temp\ekqyxs.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\ltvrwo.exe
  "C:\Users\Admin\AppData\Local\Temp\ltvrwo.exe"
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\ytlcex.exe
  "C:\Users\Admin\AppData\Local\Temp\ytlcex.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\zpovyz.exe
  "C:\Users\Admin\AppData\Local\Temp\zpovyz.exe"
  2⤵
  - Executes dropped EXE
  PID:1156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8dfc446f8,0x7ff8dfc44708,0x7ff8dfc44718
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4052 /prefetch:8
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7048 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7216 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3764 /prefetch:2
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8228 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,15192770840216547264,3881290452320771143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8468 /prefetch:8
  2⤵
  PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=писька чит.exe писька чит.exe"
1⤵
PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8dfc446f8,0x7ff8dfc44708,0x7ff8dfc44718
  2⤵
  PID:5856

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5364

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe
"C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\play.vbs"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3796

C:\Users\Admin\AppData\Local\Temp\yniiro.exe
"C:\Users\Admin\AppData\Local\Temp\yniiro.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1300

C:\Users\Admin\AppData\Local\Temp\yniiro.exe
"C:\Users\Admin\AppData\Local\Temp\yniiro.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\play.vbs"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5700

C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe
"C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX3\play.vbs"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe
"C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX4\play.vbs"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4400

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5688

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"
1⤵
PID:4512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
41KB

MD5
91be4e2bf6957e5b01200b15f83b9af1

SHA1
cb9b994eb27a6e41885e4b3dedc78fa1ea9324a9

SHA256
9951e1f58567cad50199fa9e5a1b380e3f0784da276fb2d5f859110d5832dd93

SHA512
c633e932eae25c5858ac035be15f99d273183306bdc1e296e9f0154219ec2da76126158c4a2e5f2af2d27473f6077f03f518d2edd0f1981f321079953f876c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
20KB

MD5
4a2961dddc7ca6732df1c0646aad5129

SHA1
ff0b7265d2bef3824709ee3000621aca2d2c8724

SHA256
58a974546a65196f726ac5dbc25f1048991e8347bd53e7449102048a5a0dd597

SHA512
82c889adccb748ea06ced5db14b7f3f94b980215d350d7cf5463ad05de53b0421e0bc7fe6d0d3897480b2cbd6f34e0126814f166adb59b7f0a1c9cf960e8a2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
20KB

MD5
138d739b71a8bb3d57c7e63dc5b14be8

SHA1
d99b088667be58ae3c49da6cb5cd2ef1dd85eca6

SHA256
40868120da668c8a478a172b7a719e1415d7d0b59e999ebd76b6b6338a709f9b

SHA512
d6dbf38584ff2ff89b5ef7512202337128b2e4f4c19d6b2bf47419e6cba66d13fd897dc1cfd5d22322bf7ca4433b833952def01dd3c8e8d8ad8125bbedca22c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
71202a5ea0c1269f8ae240234798b54f

SHA1
10deab507d9caffab989b5c8f3b3db89c6b7612b

SHA256
8032d9c48185097ed664a9a4eb63456ad14d9cbc148e72d438563560baa5522a

SHA512
b66f4a47e019f4a2fdd4a1ab117afcbdc7b0f772ab9f3823313b844014b4c51e71ee94cd58d4ad62e31e043da3c48c9b9709080d663b1eaaf38969a7ce8855ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5727adcdbb163b694c6de0767fdc0818

SHA1
496b453550d2e635f0a55b50935ed36cae3c5144

SHA256
69f3501382ac9ec367b8419fe21849daea3f1a0bdbd12afb05daa64ee2908b75

SHA512
7d6cdb10c8c2e4dc03901593aabf86d7ff1806480f087d429a99420265a8061e9ddce07d71344a9476495bfd706a4a3e8aa2711b11023c34dc2b8fcf2c1ec94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9704ee741248285ec15311f0cc0b9843

SHA1
7b5a5bbdb9192855890901ffdf658bf1e394bfbd

SHA256
689a4954c5933986a1b84e1bf6668448791ba550a263edfa2ff72ba915e4edc6

SHA512
12cd45e9f6583484ef62abe87957a1091e76e195b0998e3fd1d70cfeabbf8030ede9a42e6180798380ba9ffc27ac64ffb2a1ee0f605a9633597443c2aad1172d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
adb6bc2c80e8401b7f3ce226d31d2e44

SHA1
2c258c6b845a279a84ee7f5850e137fe3cc7e22e

SHA256
24a270b94499360150bd87d84f8b6e9680dac63a0d24579d40f75cd47be90dc5

SHA512
96c0fd37723f1d5b1c8e2bafb0503fe21a563534a6644c36d1a6370411de4555b2b39a18a328b35a79b521c4da7ffa803774bc8438ae7c00e157d859dc97b896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2e519474fedccb0e6aa0cca255fec8ec

SHA1
b86341ca23429cfccbfefeb730261a64ff9fb422

SHA256
c536e159429b103632aca3b2d9f7f0c1c5cebe2ae95c9c3cc1b6080b03afd67d

SHA512
32a9c437eff2bae6c3fb342f26e5ae25462bf7a234ef51424311427e46339a29a7f18c8135c67af43339eaed5023b3efb6b661401b11614a444b396bb0354b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fec9ff870562c1f930fec18cb2c2212f

SHA1
4f5b36b4e411dd27336bff79e0fd36345d389d18

SHA256
1de65b64b98ccaf8c692f9f448087637d11e965fea9314ad513e16d8eefdc5b3

SHA512
a71c0abd68245d1264a49434ea7dce8b4c84fb4cfe98217143aab877d612bcc3ecce3c9998fd8200907214bf33f4e897adb480dc8f39811558b85097ef91422a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
396B

MD5
21130b2b3a269b4aee267406e79d32e1

SHA1
7b75358210aa6b1fe50a3479e339c12efd4a84ff

SHA256
14ff8a7bd246140e3a72f62f1f9989b095f13b6e8ecbdde270a106e4a65ea8ca

SHA512
436df1cd0b8ded8fd1dfe342506ea99603c4ce2717238a2c3a83bd1287543a29e118b0fac8b43183c189a0e917029aee655a7fec61d03cc3f852438a0f3816b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
e89c73f03654d78665cf864de3afd874

SHA1
f350565e8e8c7e691ac1f3d5d10cbe2e7d85fd65

SHA256
bba379d3b9968ed787c7964ca9b9fac9a8cdf4cd934186aef6a37bbb157c9adf

SHA512
13afca0621c97b6c0699326a06b70683b4676b85aa570f37e364d0e1a73cbe3f8fcbb4f5a7bc8fd179f4fd6139736ea692e552a618ff4f93d40fbc855a8bac0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
506043a2faae14b094c74c9f939ea939

SHA1
6d03da2fdefebbae1d91dbddfb095ec0d31200b7

SHA256
7a387b8de44ece33be91c30d9806b596f6e3c038ad491147a25eff9bb6a61d2b

SHA512
6f8ae79248695ee36a529a23b6908b365df691634dfa4911ad8c9ae2e16e33326fe9713cdecdd6a82e5e075da78ee1a078ece10746bfadb5095eeaef6ebefc45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
1ac5385e6e6bbc5a487eae699a167e09

SHA1
3449b5431337ea39e57fcb7cf33534d6256f2e37

SHA256
92c4b32a642370fd5169f92f42e9abd2c9a63714318b890843d2f4c67722ff5d

SHA512
7644712ff489ec25dcf3608d6bd7175fe202b294e4aec196f57bb8e645bea6256399961a8683b273e3a81508e900a3675639602a70f172eceb952fa95bd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
771575f622bff90067f62d5c67f1a079

SHA1
87c72b9033b3c16c8cd0031b5750ab312381cd07

SHA256
dcbf68bec3d735ec63c978997fe973223fb91acc00e43dab8c78d46ba6ae4ab2

SHA512
0e7db93c615051516377a7c14db4d0d45cd55bb4db569643554d8eb8cda16cb9c684bfcaaea2f80bd0340273753a08ab09ebb39474833b2d7ba6e23f74ee08d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d132b5f4f169852b0c9d01fd22d6c629

SHA1
b418964cafbe8be41cd57abafc3486f8d45b1944

SHA256
cfdce92f9e892092a3edffaa5bb1143ce08cffd2ffbef4d63139f461f6e570d6

SHA512
46f09dde927989a4fed831d776a3c8d2ada487bfb2c8bae44c549e45bbf1e6143778423ba62c27afb39ddb283872d438fa613f35d02294e8ffa84cdb24b30b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
be7576cb8d77115da9843af8201a37e7

SHA1
4ba300662f0c7e7d0fda1c0f42d6906eceb9e0f0

SHA256
b0285ea79cae9383e2fdddbd6517459dea11a4334e3b8fadfc0444b700049962

SHA512
7450b22ebe55b5d11f0aee2f9f3e18c612bcfddf5bab1f1795a44c6654ee3838ea355a2a900e7324975539984fd7e14eecfab4fa2f39884747d5ed9d8fa60d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a54d3d2ee1016415419849cf17dd7a26

SHA1
3cbe07b55f41ba21976ec2574a6d5858038946dd

SHA256
eff919b5c8d4e736ca6ed011b8716f87d5c883ad3cc2def865330cac1cb25913

SHA512
180ea405cfe652c7b4aae035c3c8cc20ebac43600b59b58d93192e547bd71412c27d1e02ae7f6746c300197fa7b0d458e438987241e561384e2f5db4ecff6dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2980fed6e516218560042f6250e297d8

SHA1
48e21f71f6471b73272b62d62cfa74e0a03bbac1

SHA256
a889c475a84f9ee40a33a378ce1332ae8dbc45bb3abc36be5331bba693f3857f

SHA512
764027545beafd51555664056b87f34196e21f3b31a6b98c7ac27aba7b678955849a0aa38014c3d476250545d5a0cdf7cf36aa510fc508fcdde532a1f6d08d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38744d4fa3fd9e36b197ccd5b51ccf25

SHA1
f6c427b6a26c23dd841e8efb41312a5197ffdf26

SHA256
8bd851589852a85fb6391e76d8a426cd40e27081f65eefc730a99f8d8c76d546

SHA512
74a3fe16fd4b93f67344336ab3a932e694e0c9293fa68787b2b23e9d29664dc8b5bc2b48cc9f4ece65e463b23fb6044404bfb1203ad53c0fb444af6b1aad7dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4eeea1b211c6f98a09aaa449ee3f4ea2

SHA1
7558aca570c0e63fadfe145166cff3ab17fc203e

SHA256
74f7bcb679622c95e45444ecfcdd10b0b4c8907b3968eeda8e20678c42f5781d

SHA512
442a5a0dbb8bf55f2d2f341e5d7a31787b5836052012a2d028648901e58ca87dc3f735aa30dd9b36b989252ae9f8036dc7ce61a63eb2da25b6410abc801ba07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f9484791b856303a22c59b188aa62264

SHA1
99f6bdf5f609567e116da659a813519d79744f52

SHA256
96b2e35b9f3b246c416a7e6f92b99fb3fce721096510ec08d36b7e04c90b4716

SHA512
90de489201b789935089fa598d56ab0e61594a1b7c0e9bcc10bc550dda21a538c24554e596f45d0fa80b8317a3af526f6a596c684a567b5e08cbcf606d82d4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ccfaff33925f667598c5d0e82f9f4606

SHA1
8cf9c7bfab1d723ddd5968d5942effa52fa7d2ca

SHA256
a5a514f65cfdf5c9422ac4226752f1f2d8b0e7b7273df20a6c7bd7f7255d7a86

SHA512
8f5f7d8bfca73a019ec31e6fe6eb91812c4ac41151ae2348a5324455f3b1664441378e36f09dec451f63e5d5fb575ed7dfa2ae40fa09b60600b189fe02dffb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
d96e2b7880df0c415f4c62b0551a8419

SHA1
67dcd37b7cbb1c58e3ffe0be57730e7577940e44

SHA256
132f3efff03c883cc09b2886005660b8f519c28a35e7793274e179678505d5f2

SHA512
bee970c009b1cff04ed7dda0fe705071a92fce41d778dfb0402059b751990179b322d7cf83762b3f4595632e50c8376c24bb1bcbd19396cb09ae5df029e091c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
8a96db0ce51a1a83db5b42124354cbf4

SHA1
1776a47ca247f6ab820c0a8ca04f572c7045c3dd

SHA256
6e5110d0262f980ff42eb3d114bf80016bc503b64339d20def343d34bcadd919

SHA512
184cf27b71bd345e25bb9cc9672cc40d43ff8489d00e890f495aa159f6bb3fb27806b1f8abd288a19ce40f4d7311772d15b20ad89dc8f2bc8fec7a5f600e7679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
62b45291d3111f908c73a69d0c11934c

SHA1
93854acd26e62ee72b77c38537a2478cca1aa79f

SHA256
5618bd0797ab960283023cdb5ca9ccda37860d4b0c13557d78e79c856fd887dc

SHA512
60ec9448f93c63856607ed86877e1ac8d87bebfa1a7d412e22a34ead0897e72e4daa28f0b3e9c376d0f3fb4d5a1e4a75455f7b6f9a71b207b8411aa3069cd6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
68cd1438cbe04355cd27046d71bc6052

SHA1
cb9e28829850e33a973656f0fc46e5cb1fc957a9

SHA256
b0f39047cd1e8ef4e0cac88b1ab6a2c63ff8bb07c13b10eb7152e4aaa0532c57

SHA512
de2b23169a9019d7dc93c51eae912826d1dff8cb333c953f5f9cfac5478fc0efa403b1b37c0930738c9054c3613fae465dc7aba2c9a6b1d88b712ca63020842d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cd7e143cb1a1f4792aeabe1faa924a2f

SHA1
6fea8b275a55adac04801a6a2d559607d9f231fd

SHA256
b5e67ae308314034b2c188613079795307c21be5902ab9dd920e3993ae0d7ad9

SHA512
a55e575cd0613bfa745eae9a70ade6ba91bf5d5de7491346329507cd1c3bec17ef51419c05cefadcb3c6c249008a9f01ded805a93e6c4ed9c28b2d192ca9179c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
968a69a89e1fed3d3c04a373382bd724

SHA1
96016dbb4e296258815a7023b78825188f8cc370

SHA256
ee41a31e1f321bbecdcb5f772441a72593a028f49dcbae817366ab8761ffc6f6

SHA512
2b737c5bf28198b1db8494b2cbf519fca61cf1b08f99e7a816a10f535e23267e76d83f156cf8ae446299ee27958d08a831ccd3c94d17681e87cfa330fa92202c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ca47e981f346308abd75f2bfc1273358

SHA1
226d7fd596e7b11271af5d90c38faea9272db65e

SHA256
0f5e32a3dc2aae2f80f2bb8102b3f7af51b87f495338db5b139880b4a0c7a079

SHA512
0c16b46357b3c4c798dc99372ae004bc2b317d424c2aa0a7e89d239df74094251f58425f388cfeb8e6c8754f514360cebf286594e31f84257d3dcb9060c1ac83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3fd6d707fdcf92002d9f03fb5cc577f

SHA1
44f3096bd863428968e1d011191ac09b457bf974

SHA256
ccc4c84896b72577ccce29d083b34b483d872cadbf2bdd834519d9f4b0bf09a1

SHA512
ae6bff8046553c1102739aa385cd92dd30f1a9d499ebff0d713bb9340888d16e9009a81f93ffb5eaa6fd6821e26b5673406e9682ad47d5ae7ab94a1624d38852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7a4834bb4bcaa8651ae9d6a360d7ed6

SHA1
3830ce992bc950a43fe76e8b54e61807157d0628

SHA256
c5ff98e014961efd3f7f39e1f98caabcecacf2c6409b7911147b157cdfa105ce

SHA512
e9c1ab91ce11e29970ee925a4f9f67fb838479995be13a12d79f3c13ae3986f7717e5dad464f9b0e2b60a5668ba851b4ca66f61d17b6b4f778b8368bf1c9314e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cf23976fcf6e6a9fba8357268438bef6

SHA1
7698ecb0a3b46cc2e92ca57f48adf92a342f0b9c

SHA256
2e79c38eb15f85fabf6c736d4dd52e6cfc220ecef880649247a45b2dc2027954

SHA512
372b7549218149bf57bade2e12770aa364b5ca79ecb4bf26d17b5c69757cb917ea2b85e8654902536f419e2e9586aec820e0581d87c1118aa45b2190ee5b34f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7c0731b13b2e681366f7da5b316230f7

SHA1
1517df2b02d4d0935c37d2900417be24baf4fe75

SHA256
e008a69e6323245a572288a89367b896e6a959694b85b249618aa3f878b9c8e7

SHA512
c8536864de5c0119b5c745668681d4c38460ee9735756be20f7ac50425cebb22f46d2ac152da3e7135107e042ebff859d602d50b3180c8e843c958d63d278ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ec93fd162bf8d06814649e8914b637b6

SHA1
b3ed1a6df9bd008ca12c54cdb77268c0ce50ab40

SHA256
2de9ca9616a7468203f897831e815b3dbec2d27a7f69c25376ab0713ea60a40a

SHA512
f9efd2dd4f87c455dc299a83a3c335d34ebea43fa5b378f4e229c26d21d9e76d1ac2f1666dc7607ee980ff6bec98ee844cfead33733c71825f9639c6a05bc250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c4706c7f0cca778dccab495a5e233aad

SHA1
e3f495c2821f016ce3ac321a18743e07e1d77117

SHA256
b63dc09c217435bfb1ba20307462f12015ef5d39b5f26ee1b958823da889399b

SHA512
2acd99f57d6720db1d38a5449c28ca5a655946ea228a730afdb14596cc72e93ca9669b7f518cd268feb6acdb5272687fb3967b0172dea69108106624a232e5dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
cf552724cc27761037b25013398e0472

SHA1
05557eefa775d648a9b5292725ba6438c6ddb360

SHA256
ea07a20be8369c7154e1754e80bdd64109e1e5b7556a88ce58b461f794629721

SHA512
bb0fa13cb00819e0bfc51b2f74dc6b0d469ae473bfaa6a20de51972b02cdc236b92c3a98943ec1947629b4ef1967e1497fbcecc9fe8c62fea37474a4dbb6ef85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea4835ebdfab29c97d0e0272339f84d0

SHA1
25214d34b52adcf90a8afef979f05fc55eb64d21

SHA256
4366b84bc173538bcfa8769180eb07c29fbc94649a4391f23d930d6fc2c95e53

SHA512
41f78256455bc19be2f42a45d6dc1c91558db5778b212210b4b36bf9e6019ae117c30e90f8f5fd448e86549ccae9bcf60e49b0e87a7ea546ea96af5b978060d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c7e754e66ac451558ec72ac55a2745d9

SHA1
c06ac652e46730ffbea5632df93eebed9aa55e58

SHA256
8a4dc29f7daaa53468e12dd62c4d6529c274ad568b78aa7309789dff3a3fbcda

SHA512
4a577a6d6ecc25b4d7855a66a614f281ad3d8238bac598bfbdc026f401ebb8c555a32510362e14b749e0e1388942b234147f044163624ebeeba0fa93ce678afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
68dc1ea39b12c822de3464b896a31d9d

SHA1
ae3ef3d05823c6983aa663bf535404fbb53c1d80

SHA256
1d25b5536fb89cf2f6c853f23abf5961677963a705d07d470e633cd9c32a3fc1

SHA512
db725373e28700cbfccd6d36d571b0b9a8eb37e32af89db8c2bf5b7ce84ff3f51c05a3ad378edfba03edd6e3666f519a6e33ff2b0266df50eb989fc679989073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
892963ab194542e30952fe2e30e6ce90

SHA1
05748d151d9321d9eafba234e0019fcead4e9136

SHA256
9ac25e691f545ab0f3bedb0ef263885f10f25865e644220fe740500b047f685e

SHA512
a8c7d4df78308706bff53d9148454ba2f0dcb89681ff43278b00029512cb03f362eb60b78969b11741d9a5c665b3993dafe3450d09a4fd04885c35794f0604c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e0cb4b28fac8d1726e1fec4f00756dfd

SHA1
4345bb6a0c6add17f561fe475d997f1706dd75d2

SHA256
c42c81a3fb9618ef003e955a8c8e1cd23c9452ffde02504ebd81a70bc3687fca

SHA512
bd5178657c4ff0e6d4d08ea056540b3b39d278b5528d12b59353056f56e9bcf2a456d2e220b6926ea5bdfa1c02a6ddd544b82b9938ca332d6d534153a9a970a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598c0a.TMP

Filesize
538B

MD5
d48311335e2ce4f366bdb0bd66b7d736

SHA1
4c2ccd212798329345d705966593e1c5f666e729

SHA256
ed26a8084024ff9fa57d322b7557157dcfe902ba58b25293712c577c64d1904b

SHA512
3149d958cd66ef82a6c8bb30083311771513bd6a83426cec34750e3482a3ec0138a0276241eb3b82ff849ffc76df3c30d377180690a3c173d7a2b257b43f3bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a868a82d440a5604e009d5d96990ade

SHA1
dbbd72291a5152e95cc807749c4b8e547ecefcfe

SHA256
73562b10a0f2e477e38e4a89aeafff51462931cef7edd65c455eceb1dd5bc644

SHA512
d9c293b2ea354e5e6b1e5ba924c6d03c16c566c6c9075abc4fb44476b45671f4f312c15ba90be06290627dca114cf1508b10b56f8bee0f3a98d897fdec3cad08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6748615efb41a932479966d8d094dd77

SHA1
59fe547e585fcfa6d4e271d3946d9de930dae812

SHA256
9815163fa6d2d126a4fa1175f777117d08c2dfd94ca0d26073a4fbebe7a88f82

SHA512
4f5e464548378cb84e799e407261e8139aa905ece86f525138b93bf12623f8dd03e4b9efb3beffe10c90ae6cbcae989d40634da7f402a22941a282dc0ce127d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1e93b6839c57dd06f05e016dc25bf294

SHA1
52e71e72a6f381922b8485c4ed729f37f2662cd4

SHA256
c6aaa44775c49e30f8bea6544d71694dc67ea8f825290f0ff996e44a37b70f60

SHA512
2bc8bf0ebb3429a8dc1e3caae544187b7daff926ae37d7e242bc50e8ab9b0d5727730afcc0c7a14d51f505f7bb099595551c07780c5997293239c55395a84b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d7518f8c7aa60aef350f6edc79f8851f

SHA1
31fc00a9b070501a1c8f8084289bd75dd61b04e5

SHA256
1df7d2f1a641c8e00f08deccf002476daf811f7705c9cf037670628f8708963e

SHA512
6d3f6c6c75b7662a6a6f4a06b385ba34476c2a1e07225b78c31fbe0600d296ec6edc35f2c3565b9acddaa3f65f59d526db1ae7145110b9690136dcd2d804ceee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1dab789f0317f0a2c396275dbc079f67

SHA1
85ed7c9d008e07be2ccc73af754babc86a0a5087

SHA256
8a40c6c1d724f26e1d1abb30a4adb77c1dabcfedd41034a98f7a952a48f4068e

SHA512
ab0d41b8618ed91f50863bd010f882feb36b6b4e503dabcd29665ef1903ad8f7477ddcad5bd506d22b345891e63777ff4b13b141f50d783e3158ae4c539d4367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3dc90c4093b912f02b19171860e1272f

SHA1
5e26d261f09e94d6c3c754a431cb9274b5438033

SHA256
eeb630dea6d51a998be7eb1d587a7156c14b2691350b2384e045dbd072cb1fd8

SHA512
3aa6dd24cff0cd8b60af3341d427751a53c258d533a0298a0279ff12c7393d271d810f803c35c5937653145f2a6e02dafae57197d713b3b1f9d94d74fa9d1865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bb23e323e1f64532eb248fe5962f1feb

SHA1
6908eb26ee4063e0c85cd4a4f66c0ae4d45f0b3c

SHA256
a937235f916a31e5dcfc6b73389995231551c5050bedca9320ec971d1d67dbff

SHA512
30ae88bf9847aa01b6415ee59ca70ad7e30f714a4dcc55f55bf76a7f57bc366029014e4175519d473fe2be7e781be6569a3386f7c731981c0b8123143f6e6dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aa246c119cf11f734a0a7a762551d4d0

SHA1
54b5a677c0b5769fc52a896a4608ef3834b25b7a

SHA256
dc8e319ca8ead6a512a5ef5069b31e07b6681981fd80462af3ea3fa68b63979d

SHA512
03a64c8616e1940897c564cc22d627f0f3c92bf6f54da4ecb987035765eccb23e14b7158aa51ac45d73f6f1884fe14b87455548d9be528f99935a6a97de3025f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
379b94f2b8eb64a0f0c2bd9a0b2add1c

SHA1
9796ae9a5683d5b4b045b077f9e7c34415d58cd5

SHA256
dbb752c4a99d7e8fffa19b8ab5aecab6093cfbdda3e7b1a57d7567a542bbea65

SHA512
5fcca43524b6eef66843e34fec1e5ef95145ee81614d59faa79077ffc895b15e859491812bf05bc7330e00f22574ae7599b4e8ef1818802226142a4f9e62d9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e0bd6c4d-246d-49f0-a200-1ce2f9f58941.tmp

Filesize
11KB

MD5
fadb1b3fe59e8d4dcd9f6afb4905f192

SHA1
02589cd596fd3770e5ffab8289d124f93f5c0a26

SHA256
422dfe0fa0b4c11c60aa240fab69ab8e88e49b6e719c54b15003f60b728e814e

SHA512
0252edf502447b5a9020e1baa83a70349bd5af953700722ee8eefb23ea5b541b8e99924b40fc744c79ff290bce10a47c1d9b1b558d8fbf379db0d45abea6e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
6d05ac6c6a39fee8e0c242d2abc83c62

SHA1
de07207ded4827aa2a293b09f88c0822913021d3

SHA256
f220154d5b7368f13f6e42fcf3708319c60c08d449230f75e003d9b595fe6d6d

SHA512
157dcb7a16577df6d127ffc49720d1c1cff96da1725c36e52bfad4d552d94f765a613adb44a630839378f2b82746dabb0da7e762ee97dcd81643000fa82f2b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
e13f3aa54f65b8e340e686ffb0b3539b

SHA1
58e82d2a38a3e458effb5e291ad69412f76dcb5a

SHA256
7255654fb6a6c8a61eaa8d17e78836a2812f633a4e81095379f6f2c409fd7aaf

SHA512
ce8225e984d1bfdf49b7b5ea58849dda6f84da4c48b1a62def258d0ab2482c4ea9f2df19beb75a7b05c5dea475be8a71130c2272a9063b2bc70eb4081724653e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
f14a86faa3e22ef8e8bd08903a54e6eb

SHA1
8f594773806a698445d11000cb932b21e6b93f35

SHA256
2e0fa2e3d786c5927fc2ce56b04b3d005863c5015f3f5217238d5bcd8dd290bf

SHA512
f09f3a0eb8274d83c878422d13c556c4a2cf1ea37cc2b83128636b40c5e4206322339d540a48fd0b22d18acc94087d794db4ae1e2d344c0906d402c18598c502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
340b40d863485995ea7eaab9c386dc21

SHA1
47c7de08001050abece764110b8cc028e3c9cb8f

SHA256
5087735f420e1649e208017b143c45d25893b36fe32fd4fa7c97cebf5fe87f19

SHA512
1d007bfeca3aee0312cc64db448746db3153b4a7d77997d3d63b0bc7efe646dc6ebc1ba5fc1a0f62f48c18cdb07d8c0343d1433c13f7ecd62dc281d018d45eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17e45724e81fad9d4f4eda74fe6b349e

SHA1
0ef309ee5638e1055c0f0fe7cd693a5643a1e4a3

SHA256
444084a5dd84f5aeaa084a27da160ea4501574fbb27da9d7aab3c6c5b3269eb6

SHA512
c1b0dd77c2ae9c15843b3bac8de6874609ebeffa5e10e552b364340c51bde690ac563c132dbc14f93e68d3a7939ea840fa687eb1bd603d646acf88a3430b6e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.vbs

Filesize
462B

MD5
593e1c1aac6eb52f5a45481a32a8a94c

SHA1
d9f9f058a22e2c1708eb46c494b705f102d65996

SHA256
477a5b41a9daa3035d3a039990fa6cbab15db95da9a6de3c42874331b642b18b

SHA512
fe8c43148cda5cad61bc4749c1384838ffde2599381da69b0b958c10d2f97351696e70124a1d38a121593e658f44b5ea25272a4bf6dd27e1a4cd1646207e0d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
448d64b7e2c09496500e077a00882dc6

SHA1
4796fb338dc81d16606ed76f63075b4fef8e051d

SHA256
b894b20027e433c8abe00659b972519d2e4166206de2cbc74cf41567581a099d

SHA512
c2160b4317670acea1cc9b5ba4a447ca1f95370eb119aa2299e2d3dad13d0aee1fd55ee4695b2883f2ce00339db88ec80cb0f104fb9fda8811bb3bd29afc25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
7cbcceb16259fc7371af338c0e44ed3a

SHA1
b260e12cdc0079b4773ed93de0fe961062ee1549

SHA256
52d886707355893ed4879c4865a3b135e1d9c870478bc0be273eb5259f9d9408

SHA512
d528946ba9ebf5943ba83f62c8221f34bb027a2391f3cc65f4dc9473575a08eb3906e57f9c9769c8ee5586e12f9fee2f9eabb4b69db70bb30c7f832407c96aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

Filesize
126KB

MD5
5fac9ee2ee41eabef3bc0a2043e8b4c4

SHA1
bd8bb1a4c059542bcfa2d813ed9dd649689f0eec

SHA256
983cfe7f4df4e1bdd6f9877ee6aacb6867456a1e467f59c9ea7019b2b8509ff3

SHA512
7291ac25a059fc00d1cce0e34adae8ddad860daa4731613ecedeb9b5a8f3a051317bcbf056c4ce4591dba596a83fc503539a27cc69307c0178f91934a4c4a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

Filesize
100KB

MD5
a343ce0b977a91b39bbb4e357c5c0ff2

SHA1
e64167368927542a591399b3d97a7ade15a97a78

SHA256
2ca0d1e6f1ae8f36f1a00baeb18d97f0f2c0fdecd941be2abc147896e0554a42

SHA512
098cb874f636b79561a885cf31cb837278fd940e1a4824512e5eb3566dba3973c13f537017336c37019aa99a8d9751dca65fbfab838a0db877f4d72b8f5588a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pod.mp3

Filesize
70KB

MD5
9f6f94bc7edaf751c8d8e59549c622b8

SHA1
52c866818c6a6ac8c937ced5d9458a041879e187

SHA256
d129e9c8d4b657809ca63249e11f0556a47a7afc3c6ab07c028def2d9cf0e5f9

SHA512
cfba09b2c76856322d8a7331b9b51c0c04a8ff3ab5c315b95839c6b2e73158be2d10341d969c25880ab674888ec5b77d8e5981df6043aac42eb4a12b6352df6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\SSS.mp3

Filesize
86KB

MD5
83be5832043bd61ce7bb33ec2cff5b0a

SHA1
b6246999852cda657954633c498c363d57876b92

SHA256
6165b1b129b3b36583fbed4e2f67e8910eccbef7c828cb0dd5de69b9636edcd5

SHA512
33aac6a7a610c1f251845d60eab45799da90f1e16ca764cfc48b5b8c92cdfefee398eadcb72e97d4bd36af576e77b1fd7357d70ddf0b7b3eefd736a1154541b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbrib4vl.o1o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekqyxs.exe

Filesize
439KB

MD5
b3edc0708fb191e2d3016c68585ed31e

SHA1
ab1ce0cb2a819b82206dc1e922e97b284b585d17

SHA256
c9fffa589040d8a6d22285255604948ff3bb3efa7077c776b6b09272bc293b7d

SHA512
77b67f4cf6344f56e20172357831497c6ae4ff57c5a852762437419a7e5819805e10098dc87f90e937cf7603b72a94e6cf66681e1602974355fae8644b2a42dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\faskik.exe

Filesize
444KB

MD5
e4f69c341bc8cfd11e4292788e1e021f

SHA1
cceb7f3a13f3800b93b2a075b62d0571f59c6f21

SHA256
f92e8a9832c9025b4f8e870e4f61582cccfcba28bb4cb00697578714b7b3a0f5

SHA512
71c2273d72b55d2e8b9f2b2c86ae8facd22191ae564284ba2b4e824f335b652d0335e2ab86484db6c257562eecb935daf006cf358d1398a80833d824e8c8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\flkyve.exe

Filesize
6KB

MD5
2aea27b056354f507176190c33a2b679

SHA1
23a103bac45bd0d090a959fe4f524d112aea5b24

SHA256
b11a92c2961b6b3da9ca54ce8bf866980913f3a5df2969f809e5cd4fcc734663

SHA512
62336fa72f093bf73114dc140d461b7684e966624484651d1821a210b73016cc525c2d949d4d43947219af18c0c776184a127a4a2a57c1ff13f3daf117f57514

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbwlpq.exe

Filesize
108KB

MD5
177e2fad68f7e0fae44338c5664377a0

SHA1
bc8a4862fbe1466ae24af0b6a8e18d47de07dda8

SHA256
88067f605653bf03d058213fb40e708d325cc14f62609c7ba7404e6cbd94f9c9

SHA512
671838b6578c4cc0584589847c327b8aba0463d80e5ddbc1ff37791e54304eeb3645b405631e6bbb5709833ed4908e87a2c18e440b5a323e54c723a9ffd22f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltvrwo.exe

Filesize
19.7MB

MD5
80c506da3df5e4580c06c48162bccbea

SHA1
43fbccf50f91cd8e1190869b0edc96d920519c14

SHA256
5699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb

SHA512
f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\okaxnx.exe

Filesize
388KB

MD5
996381d9169e255b57d112f4ba64feba

SHA1
effd1e3487f8d55a45b7836d33381ceb89ccc642

SHA256
5e52a7070a4b2ed49a402548ca31b660df6237965089e611ca5553c4077210f9

SHA512
ab6c8b78ec07d3303ea976b4ff420b736ac3eb5031f4e7fa2f6e22ffff2a5372a72a280a6b8286cdae533415b3d26636b54935cc7b014160471d7d1c11975fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhgiqv.exe

Filesize
938KB

MD5
abde72bbbe3a4e9aefac2613cc1fb1d8

SHA1
37e233800c07ae09de6f08b0beae552bb3cab69c

SHA256
d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5

SHA512
64c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvorwt.exe

Filesize
237KB

MD5
6520885628fe337b8665099479cc1d4d

SHA1
09741f5c74b3525c31004c5bd19b0ecab835186d

SHA256
13d8121844734f49d93956b30ffab57a220e5fe1345a0bcf89e4df9cd37ab4f4

SHA512
235d7a2cd8751c7f128d6e6014f098f296d49bf1fca6e0c716e3330588f9ab0688a25ab44b02879411b6210f3febdfed35d9beb1ef5a18542578211fbdd9fe9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yniiro.exe

Filesize
380KB

MD5
155e0d80cd20b0cb84a9420e5ca07319

SHA1
78b644f43d75852e4233dc251b7f3ceb710e0719

SHA256
d5b4d80cb67982af2cde7c78c59ccabb483d7bdab56657dcc37daee86198f192

SHA512
4f9a42c60a40a4be1988ec8e6a576d0c330c042b2e63eefcaef316212434b4a8d03e976e6f302ee0c79f4db2a951c34c503f0e9188aad5712909a10da575f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytlcex.exe

Filesize
7.4MB

MD5
3c3d1168fc2724c551837a505ea4374e

SHA1
86c913a12067fd2c1bbc31fb64a5b5d056175841

SHA256
f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09

SHA512
0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpovyz.exe

Filesize
3.8MB

MD5
a06b3a0a8bcc14b73a6a2b566e6d0cfa

SHA1
b2db8cd4ab404f71914e1a0acc3882b036646e2b

SHA256
df1d3303f29c9b8a7c375ea9117688248834a6929a3092097c144e0cd90c94a5

SHA512
1080ac681008cfaec018428e08bd643efa99f4805c3e788ccb82711135a9d22c6b10ae7b7645d37d7465b5e291207adffe56534c9525887597173a9bb250cd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzlwlp.exe

Filesize
418KB

MD5
0176aa2a2823bfdd677c59c4a044face

SHA1
f7464fce6ca9db13050290818b219cc031ed9ce6

SHA256
0bf4a5582d0cf1a117e7be96e62a7293a58f0f6548ac558cdce41e981f4f7cfa

SHA512
e3e4a4c37ee1febaebfd489bdb45b2da229fdc103d808c5b7310c6683ecd491258cd806e0ba8ba918e8633c65023f35c87122e72422deb0028e0f03dc11b2d89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
76ce0433ba4cc8e7109dfa1fc3416a97

SHA1
d9280b322692981201d077471b08364ca59caa57

SHA256
d1d5d25723702b7f192ae53de472cac73cbdc5250a9fba4a52089cf134ff91ad

SHA512
5fc583f45ceab5121d151f8c48b25c55aaf71b0cf53bd9f97d3cbc81871e5ec83900ebb0feebc6ebf2f1ddee1e83520ac4daf154faf54d77ab486f7cce9dd953

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
71KB

MD5
ed3794861ddc34b4748ff8081e80cb2b

SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738

SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 957185.crdownload

Filesize
28.6MB

MD5
c0b4fec8ef1a3a96c25952d1711f14bb

SHA1
b3951161dd9a163b60c6f2d7ac28435f1b8d0d64

SHA256
1677bc66ed7f88e9c69b31b50b5cc8a92466f01db7f422c06ae5632ec19437ef

SHA512
94dc06b3d6d45aee1e52ca1be3c76e6b4d862930db037e627c086613adc15aa4f036c27bd300094176fe9d5ab421d44ad2819da7acad9af602de1f648c05c8e0

Download Submit
memory/452-1076-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/452-1101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1156-2136-0x000001AD25E50000-0x000001AD26214000-memory.dmp

Filesize
3.8MB

Download
memory/1300-1163-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1300-1160-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1300-1161-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1300-1162-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1300-1164-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1300-1165-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1424-1358-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1424-1529-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1736-13-0x0000022D81E20000-0x0000022D81E42000-memory.dmp

Filesize
136KB

Download
memory/1736-3-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmp

Filesize
10.8MB

Download
memory/1736-14-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmp

Filesize
10.8MB

Download
memory/1736-15-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmp

Filesize
10.8MB

Download
memory/1736-18-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmp

Filesize
10.8MB

Download
memory/2252-1188-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2252-1189-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2252-1187-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2252-1184-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2252-1186-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2252-1185-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2752-1125-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2752-1128-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2752-1126-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2752-1127-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2752-1129-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2752-1130-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2752-1143-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/2900-2101-0x0000000000BE0000-0x0000000000C7D000-memory.dmp

Filesize
628KB

Download
memory/2900-2102-0x0000000000BE0000-0x0000000000C7D000-memory.dmp

Filesize
628KB

Download
memory/3432-2112-0x0000000000130000-0x00000000014F4000-memory.dmp

Filesize
19.8MB

Download
memory/3524-1880-0x000000001B3C0000-0x000000001B3CA000-memory.dmp

Filesize
40KB

Download
memory/3524-0-0x00007FF8E66B3000-0x00007FF8E66B5000-memory.dmp

Filesize
8KB

Download
memory/3524-1517-0x000000001B3D0000-0x000000001B3DC000-memory.dmp

Filesize
48KB

Download
memory/3524-74-0x000000001C7C0000-0x000000001C7CC000-memory.dmp

Filesize
48KB

Download
memory/3524-73-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmp

Filesize
10.8MB

Download
memory/3524-70-0x00007FF8E66B3000-0x00007FF8E66B5000-memory.dmp

Filesize
8KB

Download
memory/3524-2-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmp

Filesize
10.8MB

Download
memory/3524-1-0x00000000002E0000-0x00000000002F8000-memory.dmp

Filesize
96KB

Download
memory/3796-1137-0x00000000038B0000-0x00000000038C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1141-0x00000000038B0000-0x00000000038C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1142-0x00000000038B0000-0x00000000038C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1138-0x00000000038B0000-0x00000000038C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1139-0x00000000038B0000-0x00000000038C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1140-0x00000000038B0000-0x00000000038C0000-memory.dmp

Filesize
64KB

Download
memory/4032-64-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-65-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-68-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-67-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-66-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-63-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-58-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-69-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-57-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4032-59-0x000001DCEFAB0000-0x000001DCEFAB1000-memory.dmp

Filesize
4KB

Download
memory/4296-745-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4296-386-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4296-382-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4296-381-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4296-383-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4296-384-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4296-385-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4596-2123-0x0000000000B50000-0x00000000012B0000-memory.dmp

Filesize
7.4MB

Download
memory/4596-2125-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/4596-2124-0x0000000006200000-0x00000000067A4000-memory.dmp

Filesize
5.6MB

Download
memory/4596-2126-0x0000000005C10000-0x0000000005C1A000-memory.dmp

Filesize
40KB

Download
memory/5320-251-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/5420-1111-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/5612-838-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5612-834-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5612-835-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5612-836-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5612-906-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5612-837-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5612-833-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/5700-1174-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/5700-1175-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/5700-1173-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/5700-1172-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/5700-1176-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/5700-1177-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/5796-1017-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/5796-1020-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/5796-1037-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/5796-1019-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/5796-1018-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/5796-1021-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/5796-1022-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download