cerber | f9ca19c8fa421287522b0606e25a97b0e6f9a6737d0021813da685a36d3151de

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 10:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Badware Unban.zip
Size

32.7MB
MD5

1042c5c00030fdf20bc00f3912970ec3
SHA1

e383bd53a4736d05bd7aa2954c94294e9a36410f
SHA256

f9ca19c8fa421287522b0606e25a97b0e6f9a6737d0021813da685a36d3151de
SHA512

99a140cfc7fa2d84f437ba943a2e3fa936d42232eeb2984f28a6c1bdff2587b733367ec85b496064cbfcb8d84c37c81191ddd936356e629660d1fccb0eb01312
SSDEEP

786432:Cvn5q4e/trW377C0tsXkF9V8/KYwdGmKeBxaW2kdK7SUqXyBINW0:CvngVEIkHoKLdGmKeskA7SUqCQW0

Score

10^/10

cerber discovery ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		5184	taskkill.exe
		5372	taskkill.exe
		5540	taskkill.exe
		2572	taskkill.exe
		604	taskkill.exe
		4820	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4840	taskkill.exe
		4816	taskkill.exe
		3200	taskkill.exe
		5368	taskkill.exe
		4944	taskkill.exe
		3036	taskkill.exe
		312	taskkill.exe
		5596	taskkill.exe
		6064	taskkill.exe
		1188	taskkill.exe
		2872	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		5908	taskkill.exe
		1992	taskkill.exe
		2836	taskkill.exe
		4268	taskkill.exe
		4700	taskkill.exe
		2676	taskkill.exe
		2196	taskkill.exe
		3600	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4820	taskkill.exe
		5788	taskkill.exe
		1212	taskkill.exe
		6020	taskkill.exe
		2784	taskkill.exe
		6112	taskkill.exe
		2996	taskkill.exe
		652	taskkill.exe
		3212	taskkill.exe
		1140	taskkill.exe
		3560	taskkill.exe
		1284	taskkill.exe
		60	taskkill.exe
		1984	taskkill.exe
		3552	taskkill.exe
		4420	taskkill.exe
		2132	taskkill.exe
		4576	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2840	taskkill.exe
		852	taskkill.exe
		5572	taskkill.exe
		860	taskkill.exe
		5684	taskkill.exe
		4148	taskkill.exe
		488	taskkill.exe
		404	taskkill.exe
		5948	taskkill.exe
		64	taskkill.exe
		2104	taskkill.exe
		3044	taskkill.exe
		2636	taskkill.exe
		1348	taskkill.exe
		5680	taskkill.exe
		4848	taskkill.exe

Executes dropped EXE 5 IoCs

pid	Process
3804	AMIDEWINx64.EXE
5188	AMIDEWINx64.EXE
2792	AMIDEWINx64.EXE
668	AMIDEWINx64.EXE
2808	AMIDEWINx64.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
94	discord.com
75	discord.com
76	discord.com
92	discord.com
93	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4844	BadwareFreePermaUnban.exe
4844	BadwareFreePermaUnban.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IME\AMIDEWINx64.EXE	BadwareFreePermaUnban.exe
File created	C:\Windows\IME\amifldrv64.sys	BadwareFreePermaUnban.exe
File created	C:\Windows\IME\amigendrv64.sys	BadwareFreePermaUnban.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5968	cmd.exe
4856	cmd.exe
5996	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3552	taskkill.exe
404	taskkill.exe
1984	taskkill.exe
5788	taskkill.exe
4848	taskkill.exe
1992	taskkill.exe
852	taskkill.exe
5372	taskkill.exe
4816	taskkill.exe
2132	taskkill.exe
4820	taskkill.exe
4312	taskkill.exe
1208	taskkill.exe
5572	taskkill.exe
3212	taskkill.exe
652	taskkill.exe
1424	taskkill.exe
5948	taskkill.exe
60	taskkill.exe
3036	taskkill.exe
1212	taskkill.exe
4420	taskkill.exe
860	taskkill.exe
2996	taskkill.exe
2572	taskkill.exe
5908	taskkill.exe
3560	taskkill.exe
5684	taskkill.exe
5680	taskkill.exe
1284	taskkill.exe
5596	taskkill.exe
4268	taskkill.exe
4576	taskkill.exe
692	taskkill.exe
6112	taskkill.exe
2840	taskkill.exe
2872	taskkill.exe
2784	taskkill.exe
4148	taskkill.exe
4700	taskkill.exe
4840	taskkill.exe
4888	taskkill.exe
1348	taskkill.exe
5368	taskkill.exe
2636	taskkill.exe
488	taskkill.exe
6064	taskkill.exe
5184	taskkill.exe
2836	taskkill.exe
64	taskkill.exe
2104	taskkill.exe
4820	taskkill.exe
3044	taskkill.exe
1140	taskkill.exe
1188	taskkill.exe
604	taskkill.exe
3600	taskkill.exe
6020	taskkill.exe
4820	taskkill.exe
3200	taskkill.exe
4944	taskkill.exe
2196	taskkill.exe
2564	taskkill.exe
2676	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{8F235D1D-D7D3-4852-A0B1-4F730E0DE796}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4844	BadwareFreePermaUnban.exe
4844	BadwareFreePermaUnban.exe
5004	msedge.exe
5004	msedge.exe
448	msedge.exe
448	msedge.exe
5356	msedge.exe
5356	msedge.exe
6132	msedge.exe
6132	msedge.exe
3752	msedge.exe
3752	msedge.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	60	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	5572	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	5908	taskkill.exe
Token: SeDebugPrivilege	5948	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	6020	taskkill.exe
Token: SeDebugPrivilege	6064	taskkill.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeDebugPrivilege	5184	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	5372	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	5540	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	5596	taskkill.exe
Token: SeDebugPrivilege	5684	taskkill.exe
Token: SeDebugPrivilege	5680	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	5368	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4844	BadwareFreePermaUnban.exe
3804	AMIDEWINx64.EXE
5188	AMIDEWINx64.EXE
2792	AMIDEWINx64.EXE
668	AMIDEWINx64.EXE
2808	AMIDEWINx64.EXE
3912	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 3476	4844	BadwareFreePermaUnban.exe	108
PID 4844 wrote to memory of 3476	4844	BadwareFreePermaUnban.exe	108
PID 4844 wrote to memory of 2452	4844	BadwareFreePermaUnban.exe	109
PID 4844 wrote to memory of 2452	4844	BadwareFreePermaUnban.exe	109
PID 4844 wrote to memory of 3600	4844	BadwareFreePermaUnban.exe	110
PID 4844 wrote to memory of 3600	4844	BadwareFreePermaUnban.exe	110
PID 4844 wrote to memory of 1544	4844	BadwareFreePermaUnban.exe	111
PID 4844 wrote to memory of 1544	4844	BadwareFreePermaUnban.exe	111
PID 1544 wrote to memory of 2784	1544	cmd.exe	112
PID 1544 wrote to memory of 2784	1544	cmd.exe	112
PID 4844 wrote to memory of 4340	4844	BadwareFreePermaUnban.exe	113
PID 4844 wrote to memory of 4340	4844	BadwareFreePermaUnban.exe	113
PID 4340 wrote to memory of 2196	4340	cmd.exe	114
PID 4340 wrote to memory of 2196	4340	cmd.exe	114
PID 4844 wrote to memory of 3304	4844	BadwareFreePermaUnban.exe	115
PID 4844 wrote to memory of 3304	4844	BadwareFreePermaUnban.exe	115
PID 3304 wrote to memory of 2840	3304	cmd.exe	116
PID 3304 wrote to memory of 2840	3304	cmd.exe	116
PID 4844 wrote to memory of 2716	4844	BadwareFreePermaUnban.exe	117
PID 4844 wrote to memory of 2716	4844	BadwareFreePermaUnban.exe	117
PID 2716 wrote to memory of 4848	2716	cmd.exe	118
PID 2716 wrote to memory of 4848	2716	cmd.exe	118
PID 4844 wrote to memory of 1596	4844	BadwareFreePermaUnban.exe	119
PID 4844 wrote to memory of 1596	4844	BadwareFreePermaUnban.exe	119
PID 1596 wrote to memory of 2636	1596	cmd.exe	120
PID 1596 wrote to memory of 2636	1596	cmd.exe	120
PID 4844 wrote to memory of 1308	4844	BadwareFreePermaUnban.exe	121
PID 4844 wrote to memory of 1308	4844	BadwareFreePermaUnban.exe	121
PID 1308 wrote to memory of 604	1308	cmd.exe	122
PID 1308 wrote to memory of 604	1308	cmd.exe	122
PID 4844 wrote to memory of 4840	4844	BadwareFreePermaUnban.exe	123
PID 4844 wrote to memory of 4840	4844	BadwareFreePermaUnban.exe	123
PID 4840 wrote to memory of 2132	4840	cmd.exe	124
PID 4840 wrote to memory of 2132	4840	cmd.exe	124
PID 4844 wrote to memory of 2992	4844	BadwareFreePermaUnban.exe	125
PID 4844 wrote to memory of 2992	4844	BadwareFreePermaUnban.exe	125
PID 2992 wrote to memory of 2996	2992	cmd.exe	126
PID 2992 wrote to memory of 2996	2992	cmd.exe	126
PID 4844 wrote to memory of 4836	4844	BadwareFreePermaUnban.exe	127
PID 4844 wrote to memory of 4836	4844	BadwareFreePermaUnban.exe	127
PID 4836 wrote to memory of 1284	4836	cmd.exe	128
PID 4836 wrote to memory of 1284	4836	cmd.exe	128
PID 4844 wrote to memory of 2212	4844	BadwareFreePermaUnban.exe	129
PID 4844 wrote to memory of 2212	4844	BadwareFreePermaUnban.exe	129
PID 2212 wrote to memory of 2104	2212	cmd.exe	130
PID 2212 wrote to memory of 2104	2212	cmd.exe	130
PID 4844 wrote to memory of 956	4844	BadwareFreePermaUnban.exe	131
PID 4844 wrote to memory of 956	4844	BadwareFreePermaUnban.exe	131
PID 956 wrote to memory of 3200	956	cmd.exe	132
PID 956 wrote to memory of 3200	956	cmd.exe	132
PID 4844 wrote to memory of 1788	4844	BadwareFreePermaUnban.exe	133
PID 4844 wrote to memory of 1788	4844	BadwareFreePermaUnban.exe	133
PID 1788 wrote to memory of 1992	1788	cmd.exe	134
PID 1788 wrote to memory of 1992	1788	cmd.exe	134
PID 4844 wrote to memory of 2728	4844	BadwareFreePermaUnban.exe	135
PID 4844 wrote to memory of 2728	4844	BadwareFreePermaUnban.exe	135
PID 2728 wrote to memory of 2872	2728	cmd.exe	136
PID 2728 wrote to memory of 2872	2728	cmd.exe	136
PID 4844 wrote to memory of 2920	4844	BadwareFreePermaUnban.exe	137
PID 4844 wrote to memory of 2920	4844	BadwareFreePermaUnban.exe	137
PID 2920 wrote to memory of 4820	2920	cmd.exe	170
PID 2920 wrote to memory of 4820	2920	cmd.exe	170
PID 4844 wrote to memory of 2624	4844	BadwareFreePermaUnban.exe	139
PID 4844 wrote to memory of 2624	4844	BadwareFreePermaUnban.exe	139

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Badware Unban.zip"
1⤵
PID:3516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Badware Unban\PermaUnbanKey.txt
1⤵
PID:1308

C:\Users\Admin\Desktop\Badware Unban\BadwareFreePermaUnban.exe
"C:\Users\Admin\Desktop\Badware Unban\BadwareFreePermaUnban.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 06
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:2624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3276
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:3304
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1308
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Kills process with taskkill
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:2380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:2100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2816
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:3564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2196
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:64
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4444
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/badware
  2⤵
  PID:3412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/badware
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffba94e46f8,0x7ffba94e4708,0x7ffba94e4718
      4⤵
      PID:1856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,3583413328166821080,1289759231425895947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,3583413328166821080,1289759231425895947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,3583413328166821080,1289759231425895947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3583413328166821080,1289759231425895947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3583413328166821080,1289759231425895947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:2196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3583413328166821080,1289759231425895947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
      4⤵
      PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con: cols=69 lines=18
  2⤵
  PID:5928
- - C:\Windows\system32\mode.com
    mode con: cols=69 lines=18
    3⤵
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/badware
  2⤵
  PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/badware
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffba94e46f8,0x7ffba94e4708,0x7ffba94e4718
      4⤵
      PID:3848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
      4⤵
      PID:552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:2872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
      4⤵
      PID:2480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3420 /prefetch:8
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,3867336326991576516,11829740134295437859,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4900 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe >nul 2>&1
  2⤵
  PID:5528
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
  2⤵
  PID:1404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamservice.exe >nul 2>&1
  2⤵
  PID:5896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamservice.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1
  2⤵
  PID:5872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe >nul 2>&1
  2⤵
  PID:2052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im UnrealCEFSubProcess.exe >nul 2>&1
  2⤵
  PID:3816
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im UnrealCEFSubProcess.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im CEFProcess.exe >nul 2>&1
  2⤵
  PID:6072
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CEFProcess.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul 2>&1
  2⤵
  PID:3404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe >nul 2>&1
  2⤵
  PID:6104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe >nul 2>&1
  2⤵
  PID:5272
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe >nul 2>&1
  2⤵
  PID:2576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im smartscreen.exe >nul 2>&1
  2⤵
  PID:5140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im smartscreen.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im dnf.exe >nul 2>&1
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnf.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im DNF.exe >nul 2>&1
  2⤵
  PID:4420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DNF.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im CrossProxy.exe >nul 2>&1
  2⤵
  PID:4896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CrossProxy.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BackgroundDownloader.exe >nul 2>&1
  2⤵
  PID:3820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BackgroundDownloader.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im TXPlatform.exe >nul 2>&1
  2⤵
  PID:4076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im TXPlatform.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginWebHelperService.exe >nul 2>&1
  2⤵
  PID:1908
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginWebHelperService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe >nul 2>&1
  2⤵
  PID:5736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginClientService.exe >nul 2>&1
  2⤵
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginClientService.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginER.exe >nul 2>&1
  2⤵
  PID:5644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginER.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginThinSetupInternal.exe >nul 2>&1
  2⤵
  PID:5600
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginThinSetupInternal.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginLegacyCLI.exe >nul 2>&1
  2⤵
  PID:2344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginLegacyCLI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Agent.exe >nul 2>&1
  2⤵
  PID:5676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Agent.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM.exe >nul 2>&1
  2⤵
  PID:5404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSLauncher.exe >nul 2>&1
  2⤵
  PID:1172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM_ROSLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSService.exe >nul 2>&1
  2⤵
  PID:5832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM_ROSService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:1372
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /SS 2242310577-252215933-2204318834
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /BS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:4976
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /BS 2242621326-1031729996-3235822760
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /CS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:4596
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /CS 2242621326-1031729996-3235822760
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /PSN %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:2624
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /PSN 2242621326-1031729996-3235822760
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:3260
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe C: 7228-8671
  2⤵
  PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe D: 3099-4167
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe E: 0271-9707
  2⤵
  PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe F: 9723-2334
  2⤵
  PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r
  2⤵
  PID:3780
- - C:\Windows\system32\shutdown.exe
    shutdown /r
    3⤵
    PID:4088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:60

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
440c1250d6124793ac40c3ba9ae869b9

SHA1
b82601b3c1420c90de4d8d381abe8fed44fb8e90

SHA256
15ce5816eb05c3c4591b73a7297be5eb4b49ba040992494718184b84b407af97

SHA512
10b28e8c7dd6a380cdf34ac21d624fa2a7458dea19d1e49f68f76520740bb416f035882710606279537455d6c243f11ec1587eb3dc349273bc6490aa5989df7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6d6046f979e593dafd4b8b1b49fddfec

SHA1
1e37f6d516feaabf08a6a3155b36429f3a12048a

SHA256
24f5290e000de03f64091d19ff912bbf620ab3fed67aa1237bf1618d155b051c

SHA512
cf57d956f98f26be475c8b940b23937110e734278d54d959e42e242c717b0c9e2282a50a6afe0c3c7bc71f050490dbb364554580a3969d2d4316be01c59938ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
48112cb36d6b5ee5def4319cfda4d935

SHA1
f6e48b3d80782d8df813d19ec826304b2bd60a41

SHA256
8835f3db46f01c95e9f7c274f1e6873914545808a5c5a0b885ae4824f0fa1c2f

SHA512
f2aa3d15855caacbe970488ccafffeb84299dc94387e9e5c3cbc20364b140a7981375408897e997f17da8d0253be8f64f886c4322c972876c2c34fcb03bc182b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
4356b0c6e71c8df0a45de6b07ff952f1

SHA1
62c7b836b4cb41f55d3d9cfbe2bf29f468611cf9

SHA256
0d2f1a948e14b6884ddea751ebae10e4227562e8f8d642bb5b16d44c077ac6e6

SHA512
1e9b9570a0d7abca4d2128ccd0b9a46b46aeb1fb338efd5ab332fe3c6c7fef0be35cf9a7074f039736f1918416c6c6a5c19cdec816099c3d9b5cb34c88dd20d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
2355366018cfa5f6dceda3e17ce7f812

SHA1
1a5816ca531aaf3360dcef8dc6d23a62b9644799

SHA256
db4d3bf5cad840bbe389d446aa16a7e3a756121140b1fb6b0efff6e71ece9107

SHA512
424dc4561e7c4291b15ffa78317564d3b4476ae239e13b524cc0e7b1cdd2d4f9949697745191ac801a73c3cdbb94803715b2ad6e8ff5447a2ff8e10ce8cfd65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
fa486a61bd6f9f55475de9fa74ceffa0

SHA1
6ac89ee801dcade92b4242713cf2d447dd960369

SHA256
4b7a2440d48b1fe96fe8e0a99a3f62f52576aab971938a78f556596821cded8d

SHA512
12ae4ce2ff3c52de8dc2bed05fc03a36a0355ec2842846f07d6353fe5d8d71ef8330e9bc4cfffc8c90efe51b313f0f4c21cb8ce77b691ea00c4b256cca55fec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
829fd0690ff5dd7dd99c56c3a9e4afff

SHA1
cf529b6781c220a6c58156ed11b65e06317494cc

SHA256
8f72bf62eeed09fa52d569a42ac27143abd468767298cfb6d6b5e0a905e1ccf5

SHA512
fa594f3c466f0c62fb528b7fd55323df28f5d9809edf3a475ac9d7092efd4a0c8db87083cdbce1e039b1acfbbe477ddadcc06c18bbaecc270e528d8cf9ff5884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b90306ad7ed3031a23950960bb2f0153

SHA1
681c9f1039d5bdf6a20f7a0d6d6ca1438d809ac3

SHA256
f1ec8db9fa2eef21b2e536c38b7f241431ea8d6cd30306d459e6ecffdd2c8464

SHA512
92d0ef1e0adfea9bea371124de165902f14472ff7fb76e3c3bea8694f9c8ae826ea7e46465eed3485c9a790ade50717c9f29b5f95743bb4ae622bc0e5089fa5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
bb9368a121852c3735f31083f688c0d3

SHA1
435203a57c382615949c42ffcffbbe101cbe9c87

SHA256
bebeef9db7ad49b7c73f84cbccbebab5e44a8dfd601aa042ba9c65f81af03e3b

SHA512
c1ee2b3290318a9541741e596c8c7d4a8b47c2e45bb0fd4d34a5126a2e4981a6c5d59736a224f8d48d64e6bdb9e1d3b4e59b9c75b02907b845cb9135fc8915a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
095a0e572d4fd6309d0204831f7948eb

SHA1
949ed3064d2e0b62541c087ffefb36d08d4fd0f1

SHA256
12c8376613b972dbce33bee1238fcced111b150f930849e993f44338760a97be

SHA512
34942fed32c56920627f405bdfddd0f91d6d83e6e77866f7de84422643ecd0146c8d7b1bebc6563f08345e89b197dfdaf5a14307e032f9f31247b1a604fe89bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
615B

MD5
44e729e0ecb10f48be92005a6c7134ca

SHA1
fb80fec966516cd2a77be5b9cbcb82057d9f26ac

SHA256
10efa2e9dab9dc2fb783598fad238f77cdd5f8a9f682f11545be48ae8f0f8acc

SHA512
0e9fa887a5f6bc64c15b8346fbb28a537cae68702c5f3762fc27987f01c3db168d6891d1d16fd094f5f5a3e9611b81f5bd0352609017b3ecb36b249befc6b01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
20KB

MD5
a5ecd8b53015debc28ee6c7bec44cd74

SHA1
c2169df7cf9deec90d8ddc9a1e2b799fa109461c

SHA256
b286d821793946afc0924f0fe47cd33760fab3f26260faa97681b1c3ce4c00f9

SHA512
5fee939fa9a727b06f09be3806fc0499609d6a59fb72859c08ab269a7f04ec1e975a3aa2aa3ad69f18ebd42ffcd35d0d76edbe239f76629a79e00cba450a36e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
6e06261a910adef6f7e7398a66c9e57a

SHA1
81c9a7098cca2b8e4fd9926ccc3ee67ddf3f8bf2

SHA256
4c579b6ca0efd9a34c55642dab1d459bfff359d1a0c77474cc65e097adf7c330

SHA512
a576d7811db528a3bafbdbd89e8548661c0dc91a260e516d24cf00a7f1db5cadaa7f5eac5b459728b4383107d14e3024fe0e5ccf3e52e5d347624f51b79e5076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
456B

MD5
7af2e895b2040984e32fb3c320a8d50d

SHA1
bfa4f75ed6fba5369fb574e4f440eb924357b087

SHA256
a8dc4c05b8abce93dba7e74e38c1901c3e6613c5d9fa07234bfe8910a907d192

SHA512
10575155e66c31b065556b6cacb32fcbf9b081f07e513186bd381bb2e575ca96206337fe7dc88dc9ff16e246a3acbe4761a9b921ede5f089fb9fdbf544da0a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
197B

MD5
0c50329ee2f173b61c02cb28f06c4c1e

SHA1
b6b791816bc7c576303671f11dcb32bfda2f08ba

SHA256
fa8b1c2dfabaca4514e355951dd62c45dbe0e21104dad77cd6646bd219a979d6

SHA512
bb115d00c3722f29a0184e954444a92cdad77c04a1600711646757132ab420733b910b97d5cfdaf678dc534e0bcdddb869d530c0cf34594ae69b3c51913618a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac4d31343a44809af7bcc697c6281d21

SHA1
739f3b150d26ceb28c0d31a3a8a8742427ff2ac2

SHA256
f5f866b05e7976e091d46a3592329864265a38e67f2d724dceb8d14852618763

SHA512
1fa589f6a9f5300079fc3da0f278d0b668644580ad2c31665d4bb2b6612157fa4127c6cabf12b3a49ea131a502618b7d335d7f110804d30d41bf9e35f681b879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae64b70dd3617772853970c43eb78570

SHA1
db44a65de05887a2a19d044b8374b089d6bb1c5f

SHA256
24aeb7d2c09578808fbed09f9b9f4f2c0aefb693a70ac47b56aa5cc1f6578fb9

SHA512
394f3e43aa09eb3743ada5a004c4a61fe166509009f1401cce7a5999ea469dcf9e9cc2648c8f97d5e5b2ed7a60529816f3696c8fcb5700131ac6af045edc41a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
446ee5f65e42dcb6af0560079620f499

SHA1
2f498b0a0d3f455b920fc48e4683a8796d99e9d8

SHA256
ee86b21f74963d5cd6d3e69ac26c0295d202ae3db708966188b79f413e0cd9d3

SHA512
29e55c993cce59546864f613a96b00b29e69c6d73dc1c1efb0f88f320704d22aeee439d0ee4028f093343bd369ff267a90ade2c86d47c69f4a3e66443f510782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c17efe3e5da8fe4bcced724ed2321e22

SHA1
1977d2298a2b12fb7afb046a77d12f54f36a90bb

SHA256
250fa7f9eeb5594da95938f224e7a2ea5163a7278fcb8d7e8804fd1c31a96a55

SHA512
de158c44c10094265f1b5578a3ddf98fc476ca93678d1c9f2bea6d08d5635b8291d62d006d078e9b138caa8e6da452443bce2ee5e175f5ed221a9c80036f9846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
8b0ce482dd4dd2938705ac2800ccd48b

SHA1
e047400bf9fc0fa553d94b1223225f2cba851208

SHA256
d268294fd81c9318776f5f837cf07cd3355839facd0a7fbbbf7b4551455bf888

SHA512
4ed871df07ca401e1abd216f3cf52d5a1453f0d19b968fdb6dae867b68ac574ba06a36502306aef727cee8d0fa3140dd420f0bf98011abab1fba2e2366fc6ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
e888e5f540eef97a4db49f0b3830cf1a

SHA1
416befacbcb895596a2406656aa234aa0f7906f0

SHA256
87990f900e77a4ee21a6d99fab79ed945d6badfca9a9baf35c5cb281bf9f2f3e

SHA512
b4613c7c16f15df4fb63a6d61ce5a9f61d5c943f472b61bc95fe5e6673b085ae869bfb70bf3727319dfb173c5831cbc0f4f87de7c1dd9fd20a04b7711ce38846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13366376719890423

Filesize
1KB

MD5
7f6367f5d5f1a4bd1840ca3fc9e10258

SHA1
cc4e1e2d5a90203173f445044e07734604cbb8c9

SHA256
0369bac1a00d1918548251bd8984ba193e46b983dbd64c0068e1bf25f899fac3

SHA512
fee0ef7a3080c8794e0062bf42e46285b6df1aef2f208da1dcd8f43682cacf9a0e068c9324788b6b447b5f8920997a0f4fce3cf1bf7fe5ef6a2206f55e2db962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13366376720263423

Filesize
1KB

MD5
0f786624921f53146ae914f4e66e58c4

SHA1
18aec600156e34701944776ed21dd0f27f2936a9

SHA256
f7f88f739ee681f53ae26d8fac576d5f6fd7b6e07ce225edacfeaa48c45b70d6

SHA512
5c37c108ddf7e49e63b154a648a8001bb87af452e013a7d2b28300515903f0452f2f167310d69a05b252f575ba5fb7c03d535eb1eb8ef18764623ea57644aab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
3a12ca7326a0e681cc5408b148eaafde

SHA1
c3edfc2c18ad4b5e1f384093b354336ab5b071f1

SHA256
e696ad122cb498de4ecca7fa62a2f971e66b3354025238a9951cc81788a91551

SHA512
0f9ccbe59be3f74a089a9acfeebd8846fd82c92bd343558c93c9be40047eebce4aa0a7175dc7dd050ba50514e0fed5b7ee62a5b5be7eaa12bded708c0b3bce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
bba80c5940e1397f4810fa4d14451113

SHA1
753dc6f1c7bcefe7617c7952274f740a2b94c830

SHA256
5551bfecb205e334ac30e4eff76d1ae75aae99048a9533dc0e5c8185e968c018

SHA512
eb274364b2db2872a0e802e9b769271368348a0452067857a32a5f59f8005ca8ae086ec19fa21a82bc5c0ac358800980277d35b72cf370b01c5761914e12c7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
f69564b4fe330436d46df8833f9974aa

SHA1
070d069349e68169754e138a7a569439c6937e02

SHA256
1a3e5204ba47439c3c475e0652006708830f12e00ce6cb4e77bf7d5a52437942

SHA512
69c8d5730a5f847f8a1606ff0d0ccc69a20b2b9aca13c714635e48c973fc8d09055231bdfa5c82337b31fca334c6d8296ac78d6bd8862e847b35b0f541d753bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
f25c64fad06a0d10939bdddcf0220dca

SHA1
62d92396ae0caafd6dd785ebf452af79db3d6039

SHA256
9729ba5de6eac70400d9ee700d966e4a9ab810313dfbcd53434b7c9b6654bcd0

SHA512
fa57222ee4445cf2c3ac79376728601c31f81c442933d7a966ff6607d8b037586a14d56cc80066712abbe8661d79c50ed5780a1bf97c74c5bfd56cd6c27a1ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
602b29be5e8ea610dbd629322d45ed0c

SHA1
aa596a7b745bea5a367ed16e979dabcd199aab3e

SHA256
66c496d1fe2aa12084893e5e91d6551f1e282b2021f7fe03caabf535e8e59c12

SHA512
8c96adaf342b587d99c3a8b1615f4b52905b14838dd8107f70fe98d8a74d044e7f727691193437a8ae26c46e55ada5aba468ab306783b798792e0b2e573dcbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
707a573eb73dfb8ce1d1b5935fb733a7

SHA1
4ab20637954d322dba5a1005ded8fb18b35792fd

SHA256
73e12d661da85959f64eb22a07040818d6cdfaddf16837ff728c9cc8a4cca80c

SHA512
777d5c46a41c6156351ad9c88c638c5c9fa3fbdf4c61eff99ccd4621c1df6dad55fa757a6541ae0967769f1ea8db5c30aae9c9fc3934ca81aeb50c84e53b8742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
7d5c15ee43e0413aec0c69764edff001

SHA1
faf51db38eb107b4c5a4dc2c6c9597365f67ea3c

SHA256
a99da84f17fcd442a8dffa61421abf1dcc95cbf76019747b69d34ee9db6a6618

SHA512
2e128fe8cb5f6f32b7b51836a6a735e7b2e4ca69b2911835c560edde7a75df84d2e50c82320ed80023f445e36f8ad3616c5dd4d36499ee3db29d11a99c71e3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
8dc43f9244df6804a88bd4abb62784ea

SHA1
27cb440a0ca16b4d43d57df717855b5afdfdbe58

SHA256
46b13ad900e9d2e78529c437cbfc749e8c94b2215dc0ee6048c35f5145a53b14

SHA512
1ffc0bb3833653b309d43a19c046c6ccc6560825c5e2d595fe5efd992982a7974167938b183ebb0ca199128d4b207db17676e8cda2fe909be9af1f0f08efa952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
0797519784c9ae9ba39fc40ecc1f9073

SHA1
855306c310da206ea786dec767f3ded333f2d649

SHA256
9b8ab279d0faae7e409ac6256d9977bc6392a23434d126d179ff4c17c1fcda38

SHA512
016e0cef5194c05fb9c48b65b83c6fd222f4add224296cca9b9781459f9c924d57939387e0ef9c4e48070153aec75c13e8329288f3337c69cffe06408c581e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b577ae9561a85c0632ad798214bcb908

SHA1
1bb3272bf746ed6b90048993ba2f2e3cc5909956

SHA256
eae41098accbf7212f47e2f81fc8f58ac5548a56436795c5368d6ca1a2481c25

SHA512
71818c07ce2cf9d4c13828f5c1fd1f1781f496c55a2e14cfb7aba5fc94792d190b0cf10362d609a43cab0fa44e9e73e988a23d75373d11a560351b20c4103b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
13f04ea9e4af58bb8bbf870924f7c998

SHA1
0652ce7a9ee63af8c4d15d39db4554a3c8ee03c2

SHA256
5d629cf7f0e6b2bf0f8b055b6909f4777093823c704edbceb07c60c87271f261

SHA512
3faedc713368c9032d9c2e9afdad9b54933b71c24e2953e137f30d4b607d706e5a72ca4b69fa505c1feba3edae1e8156234d347d5b479cfaf0089f05f0ba9786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
886cd5ccb27870c3477d967ed491df60

SHA1
1fde61bdff98f14d6d9e3988ec1c72e71d3624c1

SHA256
004efa4c4ac99624f0fb1d1a6680b9a2e4de1648e7e53cc090faa8a9d8e328c1

SHA512
50c66d8d3957ca755eed93589af331208f4ac9b86fa222c1c61bd80cad8d0f5ecda757e02a52636f30d0d9704bec60794c727f5646b7283580b8607f42dd17cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
05454636664e323ede483b99f5ee4212

SHA1
c0b3f7a01b17012c82920efe54ca74cd1f6ec2ab

SHA256
4134b07ffcbddffe3b9b3a3c8bbb1785098d42d7e79e33db010ad6b3ec878f3a

SHA512
f239c7612c08cae1ebc4953568e71f364eab59c8608714ad9a19ed27484eaa5c381725702714a2c2f3fc02540b1f9d252e8a3c649fec0490ce2c87cea0c31778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
b1744f17d7e274561c688bb35e413b9a

SHA1
c4d58be47d460d57be5a8fdb307a38908943e88c

SHA256
447955fe68b0fd9fdecefb8b27af0f1ad8ce24f73dd2bc6cbcf3ce015846200d

SHA512
ab1176971b05f18225581f8fa2f52840df4af250484db429d540fceb243b23a6001d33de2866af3bfb3bf02582d39a624642f825e15abd9645c0ce8392187f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
d1ebf6ea198fb1873623abf9fcf82344

SHA1
d7cbbe460ae5e287b4d4e5be3747e22f49d96855

SHA256
f2695b869b261c44163063a0dfca1c9717b10a34377418abb2e6520126f18f73

SHA512
0c0974f753388b60b6cd6a864dbe7b90f90349232088f199405cc2a77a72da8e201de464b10108eb702a1196b4807641df33164fa639cc8cdcc1fe75904c56a9

Download Submit
C:\Windows\IME\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
memory/4844-0-0x00007FFBC9DB0000-0x00007FFBC9DB2000-memory.dmp

Filesize
8KB

Download
memory/4844-1-0x0000000140000000-0x00000001419DD000-memory.dmp

Filesize
25.9MB

Download