warzonerat | 0214d1d58efc92256a064dd0a0d0a58c66f576eb260812dbd4905fdde0011dc6

Resubmissions

19-09-2024 23:39

240919-3ndh3sxfjj 10

19-09-2024 23:29

19-09-2024 23:28

19-09-2024 20:38

19-09-2024 20:35

19-09-2024 20:30

Analysis

max time kernel
1781s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
Size

212KB
MD5

ec2453dbb46e27680ce11ee4d08137e0
SHA1

2831bdbbfc67cb405a2231ca7195f4040ee20d60
SHA256

0214d1d58efc92256a064dd0a0d0a58c66f576eb260812dbd4905fdde0011dc6
SHA512

1f2941be38a9fa7aaec3ad8e64b2c90074d6f4d2fad60a4377597ca422c29c4a49881b1cea598eacb3e41bda25cab616dbf659db99ad728afa89282e75495519
SSDEEP

3072:YLca+56U04VjKkXzpicDlsc3w5zaLjBet8AbWF:fjKkXzpicDGc0kBkA

Score

10^/10

warzonerat discovery infostealer persistence rat rezer0 upx

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/4640-1061-0x0000000005A90000-0x0000000005AB8000-memory.dmp	rezer0

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2236-1070-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2236-1069-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdwereCleaner.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	AdwereCleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe

Executes dropped EXE 30 IoCs

Processes:

EternalRocks.exeEternalRocks.exeEternalRocks.exeEternalRocks.exeEternalRocks.exeEternalRocks.exeEternalRocks.exeEternalRocks.exeEternalRocks.exeAdwereCleaner.exe6AdwCleaner.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeArcticBomb.exeWarzoneRAT.exeArcticBomb.exe

pid	Process
1884	EternalRocks.exe
2632	EternalRocks.exe
1716	EternalRocks.exe
4208	EternalRocks.exe
5024	EternalRocks.exe
2376	EternalRocks.exe
2840	EternalRocks.exe
2008	EternalRocks.exe
680	EternalRocks.exe
4416	AdwereCleaner.exe
2232	6AdwCleaner.exe
4640	WarzoneRAT.exe
2472	WarzoneRAT.exe
3488	WarzoneRAT.exe
4860	WarzoneRAT.exe
2124	ArcticBomb.exe
4840	ArcticBomb.exe
3648	ArcticBomb.exe
2380	ArcticBomb.exe
612	ArcticBomb.exe
4492	ArcticBomb.exe
3956	ArcticBomb.exe
3940	ArcticBomb.exe
4092	ArcticBomb.exe
4600	ArcticBomb.exe
1096	ArcticBomb.exe
380	ArcticBomb.exe
2772	ArcticBomb.exe
4124	WarzoneRAT.exe
4092	ArcticBomb.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000e0000000235da-1420.dat	upx
behavioral1/memory/2124-1443-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2124-1445-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/4840-1446-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/4492-1472-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/380-1595-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6AdwCleaner.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
102	raw.githubusercontent.com
103	raw.githubusercontent.com
189	raw.githubusercontent.com
229	raw.githubusercontent.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exe

description	pid	Process	procid_target
PID 3464 set thread context of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 set thread context of 0	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
PID 4640 set thread context of 2236	4640	WarzoneRAT.exe	167
PID 3488 set thread context of 5096	3488	WarzoneRAT.exe	169
PID 4860 set thread context of 5056	4860	WarzoneRAT.exe	175
PID 4124 set thread context of 3096	4124	WarzoneRAT.exe	219

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2764	2472	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exeMSBuild.exeMSBuild.exeArcticBomb.exeschtasks.exeMSBuild.exeWarzoneRAT.exeWarzoneRAT.exeschtasks.exeWarzoneRAT.exeschtasks.exeMSBuild.exeArcticBomb.exeIEXPLORE.EXEAdwereCleaner.exeWarzoneRAT.exeWarzoneRAT.exeschtasks.exeec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x00090000000234af-916.dat	nsis_installer_1
behavioral1/files/0x00090000000234af-916.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4f7e970612e5da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9F0FA994-76E0-11EF-9A03-F2CE673D6489} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{88DAD59F-1AC1-49F4-8FF1-1C125A58BAAF}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe

Modifies registry class 11 IoCs

Processes:

msedge.exeOpenWith.exeiexplore.exeOpenWith.exemsedge.exeOpenWith.exemsedge.exeOpenWith.exemsedge.exeOpenWith.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{30D0E5D0-7587-4130-B485-826FF1DA278B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{8DD87E1B-5BED-4A1B-B6F2-3DAC612BBD31}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

6AdwCleaner.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe

NTFS ADS 6 IoCs

Processes:

msedge.exeWarzoneRAT.exemsedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 79563.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 882495.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 282176.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 780899.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 263632.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4860	schtasks.exe
5032	schtasks.exe
4404	schtasks.exe
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeWarzoneRAT.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
4632	msedge.exe
4632	msedge.exe
3000	msedge.exe
3000	msedge.exe
2128	identity_helper.exe
2128	identity_helper.exe
4296	msedge.exe
4296	msedge.exe
4788	msedge.exe
4788	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
4948	msedge.exe
4948	msedge.exe
2576	msedge.exe
2576	msedge.exe
4428	msedge.exe
4428	msedge.exe
4444	msedge.exe
4444	msedge.exe
2472	WarzoneRAT.exe
4640	WarzoneRAT.exe
4640	WarzoneRAT.exe
2472	WarzoneRAT.exe
4640	WarzoneRAT.exe
2472	WarzoneRAT.exe
3488	WarzoneRAT.exe
3488	WarzoneRAT.exe
3488	WarzoneRAT.exe
4640	WarzoneRAT.exe
4640	WarzoneRAT.exe
4640	WarzoneRAT.exe
4640	WarzoneRAT.exe
3488	WarzoneRAT.exe
3488	WarzoneRAT.exe
4860	WarzoneRAT.exe
4860	WarzoneRAT.exe
4860	WarzoneRAT.exe
208	msedge.exe
208	msedge.exe
4028	msedge.exe
4028	msedge.exe
2044	identity_helper.exe
2044	identity_helper.exe
4556	msedge.exe
4556	msedge.exe
4124	WarzoneRAT.exe
4124	WarzoneRAT.exe
4124	WarzoneRAT.exe
1596	msedge.exe
1596	msedge.exe
4072	msedge.exe
4072	msedge.exe
3068	identity_helper.exe
3068	identity_helper.exe
2816	msedge.exe
2816	msedge.exe
4944	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
4956	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

6AdwCleaner.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exeWarzoneRAT.exe

description	pid	Process
Token: SeDebugPrivilege	2232	6AdwCleaner.exe
Token: SeDebugPrivilege	2472	WarzoneRAT.exe
Token: SeDebugPrivilege	4640	WarzoneRAT.exe
Token: SeDebugPrivilege	3488	WarzoneRAT.exe
Token: SeDebugPrivilege	4860	WarzoneRAT.exe
Token: SeDebugPrivilege	4124	WarzoneRAT.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeiexplore.exe

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
5068	iexplore.exe
5068	iexplore.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exeOpenWith.exeiexplore.exeIEXPLORE.EXEOpenWith.exemsedge.exe6AdwCleaner.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	Process
3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
1844	OpenWith.exe
5068	iexplore.exe
5068	iexplore.exe
960	IEXPLORE.EXE
960	IEXPLORE.EXE
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
2232	6AdwCleaner.exe
2232	6AdwCleaner.exe
4636	OpenWith.exe
3420	OpenWith.exe
1704	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exeec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exemsedge.exe

description	pid	Process	procid_target
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 2388	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	82
PID 3464 wrote to memory of 0	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
PID 3464 wrote to memory of 0	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
PID 3464 wrote to memory of 0	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
PID 3464 wrote to memory of 0	3464	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
PID 2388 wrote to memory of 3472	2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	56
PID 2388 wrote to memory of 3472	2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	56
PID 2388 wrote to memory of 3472	2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	56
PID 2388 wrote to memory of 3472	2388	ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe	56
PID 3000 wrote to memory of 692	3000	msedge.exe	90
PID 3000 wrote to memory of 692	3000	msedge.exe	90
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4784	3000	msedge.exe	91
PID 3000 wrote to memory of 4632	3000	msedge.exe	92
PID 3000 wrote to memory of 4632	3000	msedge.exe	92
PID 3000 wrote to memory of 4448	3000	msedge.exe	93
PID 3000 wrote to memory of 4448	3000	msedge.exe	93
PID 3000 wrote to memory of 4448	3000	msedge.exe	93
PID 3000 wrote to memory of 4448	3000	msedge.exe	93
PID 3000 wrote to memory of 4448	3000	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd498146f8,0x7ffd49814708,0x7ffd49814718
    3⤵
    PID:692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
    3⤵
    PID:532
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
    3⤵
    PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:3056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5000 /prefetch:8
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
    3⤵
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6256 /prefetch:8
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
    3⤵
    PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
    3⤵
    PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2292 /prefetch:8
    3⤵
    PID:884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3968 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- - C:\Users\Admin\Downloads\EternalRocks.exe
    "C:\Users\Admin\Downloads\EternalRocks.exe"
    3⤵
    - Executes dropped EXE
    PID:1884
- - C:\Users\Admin\Downloads\EternalRocks.exe
    "C:\Users\Admin\Downloads\EternalRocks.exe"
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Users\Admin\Downloads\EternalRocks.exe
    "C:\Users\Admin\Downloads\EternalRocks.exe"
    3⤵
    - Executes dropped EXE
    PID:1716
- - C:\Users\Admin\Downloads\EternalRocks.exe
    "C:\Users\Admin\Downloads\EternalRocks.exe"
    3⤵
    - Executes dropped EXE
    PID:4208
- - C:\Users\Admin\Downloads\EternalRocks.exe
    "C:\Users\Admin\Downloads\EternalRocks.exe"
    3⤵
    - Executes dropped EXE
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6724 /prefetch:8
    3⤵
    PID:3396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4428
- - C:\Users\Admin\Downloads\AdwereCleaner.exe
    "C:\Users\Admin\Downloads\AdwereCleaner.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4416
  - - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
      "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3296 /prefetch:8
    3⤵
    PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1739294087061189898,8886387037337629257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4444
- - C:\Users\Admin\Downloads\WarzoneRAT.exe
    "C:\Users\Admin\Downloads\WarzoneRAT.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC978.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1592
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
- - C:\Users\Admin\Downloads\WarzoneRAT.exe
    "C:\Users\Admin\Downloads\WarzoneRAT.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1108
      4⤵
      Program crash
      PID:2764
- - C:\Users\Admin\Downloads\WarzoneRAT.exe
    "C:\Users\Admin\Downloads\WarzoneRAT.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9B6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2460
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp647F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd498146f8,0x7ffd49814708,0x7ffd49814718
    3⤵
    PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:2824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:1356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5812 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6008 /prefetch:8
    3⤵
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1822836007286977286,2431905282384733345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4556
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:4840
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:3648
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:2380
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:612
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:4492
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:3956
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:3940
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:4092
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\Users\Admin\Downloads\ArcticBomb.exe
    "C:\Users\Admin\Downloads\ArcticBomb.exe"
    3⤵
    - Executes dropped EXE
    PID:1096
- C:\Users\Admin\Downloads\ArcticBomb.exe
  "C:\Users\Admin\Downloads\ArcticBomb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:380
- C:\Users\Admin\Downloads\ArcticBomb.exe
  "C:\Users\Admin\Downloads\ArcticBomb.exe"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CA1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3096
- C:\Users\Admin\Downloads\ArcticBomb.exe
  "C:\Users\Admin\Downloads\ArcticBomb.exe"
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd498146f8,0x7ffd49814708,0x7ffd49814718
    3⤵
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
    3⤵
    PID:2080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
    3⤵
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
    3⤵
    PID:4284
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:2808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5576 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5892 /prefetch:8
    3⤵
    PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
    3⤵
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 /prefetch:8
    3⤵
    PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 /prefetch:8
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:8
    3⤵
    PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7060949509280963686,732424464567458534,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1420 /prefetch:2
    3⤵
    PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1844
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5068
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5068 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 2472
1⤵
PID:4776

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e403d2fd7e0b4af094b3a90610ff788e /t 3648 /p 2232
1⤵
PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

Filesize
75KB

MD5
0ee37c6d9ae227b07bbe0163b152c934

SHA1
1feca31bc38928648e564e7ef0709bf170b645ca

SHA256
87c8cc4db85a9697eb895289b41816cc06547162eb7bda7157f0b8c5916523cd

SHA512
a955fb016941cb2b4604a2ef7ce8630fbefce48d92bc682d4ab08c9b598fec377291aefee6300dcba3b9e7244baab98b7bb3131b6b75189675e92d7dc5224689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
1KB

MD5
9cba2f306d90db3a09312578c6e13e1e

SHA1
de4192c655ec45aec5a7d6a0c8f32cbb8142bcce

SHA256
24e7e9cfe9454fee8a4bc6ca2d23a029530f284223b7a9aee60b0be1a9fb8c88

SHA512
e6fb7060be36a08583b4f5a7a29ae1fd1e5389954f767e84c6d6f823290dedc110216dcb6c77dd7fdd38d2c91cdb9851d3e73ca7f39ba69f6561cc9b05d516b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_77D782D611E65A2A81EA974847CB0C84

Filesize
509B

MD5
2edb43db080b3be6be602e2373ac0dec

SHA1
8aed49db11eb31dba268ee6b34e0ac3493a5340b

SHA256
083f5502b0d5b294ab5eec38b6803f710e62e71d88f72630b3ee3a2dc5f92341

SHA512
3351f8adee82788ec7554560106794a1fffd02eec7b1411bd4185f067c365d77d1be79f5c0a762fc35c0b65e2433fe35c9528e9b4a07644e26c11d5ed9fc8e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

Filesize
300B

MD5
30c2e82678b2ffe15ecb1b84b0ddd361

SHA1
96549d4c7f7f87cee8c72b6a6800952db43f72a9

SHA256
c212af02154d75cdbe168c428d0698f9b48223403739540ffd4abc64958a5c5e

SHA512
27614839991ce46ee06af8783b969506bae2357e2678bf005a3c610337c7f7fe0b186308cbf68e6222c0d3fe73e2373d9c1281f14b32d555e313954c8be66c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
6a6c7c359e47f9b83c0a1f1ba128433d

SHA1
e09f52d1d258eb0bfd8ca4b732a697575c85e28c

SHA256
9624d4b8cf099606cecabc83c01811786fdd2b64cc99ab931f227b1e65d201bd

SHA512
0f34e33360eb700ebb44e3f6e7c8ade256fe54a7cf957944833025344adccc143c689aad1a3c366cd5cde6097852ddd81cf0f3bb42f46188bade134559d27f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
500B

MD5
707a298b69846efdc1b3c8af770d2d8f

SHA1
56b2098cb74cad8c724859e5d278253dab0efdde

SHA256
2508a9b6c76bac82730112baeef1d02153ea6056021377211c143442f9ce3488

SHA512
1e0c2e18bc0aa6c6df713df112a2559c3abfa09dff554013a265e797077f7fd461042da9b02587c1acba9a695e4c1f0417e7edf866bc6bfd9b2f312447baaa02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_77D782D611E65A2A81EA974847CB0C84

Filesize
486B

MD5
edb6edc3d5ce25d8c7332c6a9f9b22f4

SHA1
3fed1b317cd3e6732e7109997566a5dc47e8797f

SHA256
044b611b8e6859eb5b85b9ad75ee0b7bdc2b9e82614c6fca2af6ab867fe9ccf0

SHA512
28813fe53be5376d840dad36239156bfc09da75fabcb559a4853c5859b1927e7fe35c7780109475f762233312b2f85320309b974d776b2db940060b20206ab19

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\EternalRocks.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
31d9f16f84dab4cbc0db6b2c3339028c

SHA1
c06f136434affe4becf173ae187cd031ef42e307

SHA256
f84ef10c06c0d9545bf8b3616d9ea09f69f191174a2df99d13403701cd96f5af

SHA512
09552c68d3e9b6d6074375b3360e48634be3c88af737f375d420db2c09b1c760777e37166ed0ee4fa21252297dc4ee8e8cbbb56a87ec16dc91e9d1774fa2bbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c145eda456b3b9a7ba1d6340faa01a74

SHA1
9860d2dfe30cfffdf761cd36f2cfcbef14613739

SHA256
36287a0cd949ed5da4bf31d0cf04e9aa601eda47f4a8a61a42829b304aaa0490

SHA512
2c4df365a920116f37b3e777c0cba03cca738e5ef994607ab77fb9c31d06c8f8221b387f9eabad71c90460641417069f238a6d75b8eb7fe1217de3cdd0329c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0ce8bef8-c46f-42c0-ba1f-d99a850aefe2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2f7ee0aee28a0831a45e3a476a556bb2

SHA1
a8f10999cfa7efdd0a1e37b16a7cbc472a2fdc6c

SHA256
41c049be96dbadcbc4e928cb66e2b8e6f5c907033440f789807d52a5cbff2217

SHA512
6237b34d130a78cd86d30d957622339faf1e7fca531a2cb82acdc62678493228285f8a9a56f252f1c38e7b13a8dfe3d401e509969a612bb86f2b76049317eb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
485e9cb3fcaa9b25e3879741f3ce1655

SHA1
90211b732e3fb18418a0db6a6dc94d1cbb95ff03

SHA256
63385037bdf6aef5bfc454e9be1f91bc4c7b179acd3634872e5c6b7a8ff140c4

SHA512
a8ee1f68b7492cc56a7374ded2d10ab28adc7ea496fef53e3681ae98492611afa4419e5d9de2f31bf3bc3f345b22d18676f9b5c4cd893fb645e2b639284b5796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
da74b27d994945d01c27e78b19a81c61

SHA1
1448d94c5be4a18f6f7838e11eb5a0765cb4faf8

SHA256
ac6bebdfe9e2509ec522d375265932596561004a9e4c156d844a96a1808d684c

SHA512
3e5f3ae24eda43367d1899125af32cecee0fa3c41fa0d620fe92a05f24f3eef2008245fecd0e056c8743befa46ad41d47e8f4d33568a112f529d5332a2a3441d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d2b525e4c77b9ef579a24de0ac8795f2

SHA1
15eb5336cce48eda213cf7f0b9b6aa586e5bf489

SHA256
bdde847322eb107a0f3dcec542d105c047eee50fa49d60f62ae650b722aa7e72

SHA512
e6dbd859cb9d1b8179f9c21f5d8eb9323d2ad9077dded049dafc3861954b6f83d4e26bb5a1cf19fe7e7b6e1d038a126ba8da4303173f2f6c49774629d9d3bbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c41536b90b9b4abb54b3eabe5643a984

SHA1
17ff4a6b886b8225de2b4ef2984ea8d1205134eb

SHA256
2787a834c58a89c0786b4259e10dd7cc27c2ef9e4041bd1e93d8e6ec8dd2c626

SHA512
ed6865a39c97a26f40dcf6ae9ddb6c665d63aeedb582ebbc1071b456c45ece89a487c3e58f06dc47bca41d3d3f0ad8dc2427d2d6c7166e59b9f597e0759162e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
28a89ee1dd98ba25aed1b93c0cd9a1b3

SHA1
1a2b279d039c908a0c038516355c2ce3da2ec4af

SHA256
02f0c2be8416ffb939188f4400372b87c03f7af207c53d3b786bc4c739902945

SHA512
baa2fe4d79cb134de52bdc9f1aa46320bc511179f9f3b5f3225dd13c13b35cc640ffd3f04bed4f391c603304ad97d17446b0b0b52a02982962507b93efabbd77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e5d9ca14c8c97f197a1bf1e761bd6660

SHA1
fdfb0299cfdb690e8edbf9720321d5050da71c94

SHA256
27c1faa1bff55dc1eee3942d4e091de06d288caaae42ce8a0da4859fafda97b2

SHA512
d2040cf210f910e635cb6a4cc22c973da69ba82add723bebefd0aa1bf66566bf4e5096f58212e693205cdd117b7730f201fbfa6471a340c47c298685588f8c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7fbf25f1c1eb93df02feb5c11e39b026

SHA1
9d919678007f76b6dc5ee8433f85e7d37bd13780

SHA256
7dacf1813ec369b08019eee320d04f46942c19d77a02e5ecbfb36e591ec3cf29

SHA512
fb6b9e31ebce4ab6a916ffc8384612ca9accafcbb3e1d1ede82f6b3ea01c957eb2c9651033b9ac668cd62d199f263c5ed57274e6bdd3d6494cfdbf78aa91f02e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
36a5355e4d5f8227d9cb63648b5f8e9a

SHA1
2efd97404d3f1713a8cff197b6d4fa8060ab6a48

SHA256
9080354805dc468aa8bb24ec0888d43c858c1bc3168911e6caf78cbfa4168716

SHA512
8825f3dfa96b0234b005f46a13ac8f8adc230b221f8a3b6fa9eb201ed9d1b5385c62e5191e31faa8fa3a2512ca32ccf47f4fcfd06516ad7b81b50f0351c6c45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
735e8f6e14ade04dcec1b191797804c7

SHA1
60766b8f607a49b6764c17c24acd7fe60b653c29

SHA256
b0bcceeae8c165d22922a66b01d4d38f59a955e53cb60a4ee2d6bf7839d5eb01

SHA512
fc35ff6b5c34055933950ab11bc68f1c7c4dc6f95c778d8014010fea380e572d0b2567b677f3da09f0a5e9d8281d1c372cc8b88aca074095416f3837ff0d0dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4d61da96036262bae1fc6ff2cdfbde43

SHA1
ea933d517ee16020a319f7eefc4e24d0b85a8169

SHA256
c7e0bde05e2e056715d217690d0555d31e5a586280544948d1b8642e2d223060

SHA512
402296861482136c1af359671a8aa4580997dcfe3f882b305ccbb2fa19e88284268ca167e21da03dfcf03e1476bf9363907d92e0577445c2e2f12a593fa27c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
dcbd4d821c366bb6188b9709609b1a72

SHA1
736c3847604d7504399792cdda1d8cfb592b7ad4

SHA256
6450237ed080c756f38125d5b4f8bba9ed2e6dcde52cc0f0576fefaaacb487c9

SHA512
ca8fc1162d8209b876e156da19c01bb3761839d7c3a299ed6bf550a4e6ac6e8229b0f3b22784041c393dd0b43364c881a7466cfbf58841726eccca4c989605fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a6f2a174ff3334ce39bbf9608ad6a0f3

SHA1
1fd45a1966901618420c457f3ed5dae35fa94602

SHA256
d0e6bcc47fa68ef000549dacb24284dbd1bb7bd73fd2fe414015cb2dda5238ab

SHA512
6fc0e382c4552941749ab48244ea9395d2ddbaa42d7354d0ed20567568ce320582f2d822969ff6e65f3eef2f5dfeaedaceb76b908526e9396d816ca022274e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1cc306b8fae804799112477d1d60ad18

SHA1
2a2766076919681ce989b820e8e9dea1982cd9be

SHA256
bc98e0a6c3ebe194127ffc339f63403d776fc7b6f3945d8ec6eae1e0d6d7dc57

SHA512
0561dd081d39d11edb307bf16fcb9608dbf4aad44255d85e9be2b1c14a1b1629da37ade87937b5b71df364cf96b151a0f20b2dc78de9174c04c745f56ff45b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a4c0c440bf2eab8f5aa7ef38f56774ac

SHA1
02f8d7ae7fb601e15b8666389675ab65d9775e5b

SHA256
f4e06e144fed79f0d34914a972dc84022108ea7414ed66f1576f24966ddbdcfc

SHA512
0595d5dde952d5f1890d5683054ec64e33743242ee968231629d0bfb2f1cd17242b325312166ef8273da54bb6213be8a42979e6065e691c8382058984c673552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
21d1daab3375271a91b918bc0502e061

SHA1
03a60c11ddeb9cfecf6df2edc1ecb543d030b4bc

SHA256
1ecc405a0b2d0dc7f7316cf8cac81c04e5c57a1ae4429866fd98047ea29f7ed9

SHA512
ff7625b1c24a444d1fcc0980a3b316fd473267777529f17283b244ec2c98769693ab01aa60ea6acfa055170699cdb542739c1d8f087055f4c3d139de1cf7a3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa4b27dcc21f54d85ca95a54a91823e5

SHA1
080ac55dff76d6b6fc86a6d3e2396bc69f979dc2

SHA256
0ec790ab6ded43eda456290609aa67fde54e32e9795afd7f879e52d3dcfa8b5b

SHA512
111148676171e502746d0041daa337505ae4a6c9adc9b8126dee6662f7eb2e172c58d07796956ed807bd1a8fa2633ece3a21fc98a87a2d7b7dae3dead41ccb2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
61c313db801f9063e9b6f62ef2f2ce2b

SHA1
907e797209d51f89d0c286bebd41314c295915e5

SHA256
23f2eab06e30cd39d06b6b9c3fd809b943a1fabb7fb19854f4585ea2f9429ef9

SHA512
3480e50e2bf14e079510d5eb8dcb3fb9feb5d1b0f96626b6a08a7d191fd15a150ad8db4ea0d8ab5a088aab0407c092974dfa44fac6bfa06841fa10ac986a29bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aa22e8eee6e93bf553b0d1c6ac132511

SHA1
1adb6a60135f8de6484d156d8caba8577706f085

SHA256
7dff92a004981926691c12ab8dcb8e61459ce4b69b5daabb2074df17842a41ef

SHA512
765a42ae8911ad590d0a6841c4cacd90b819b2ad96f7a1fed30133e27b46a63cdacd124d46055d990e41574639aceb907e9fc83f6e78514e57ce75c766a71009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dedade5aa30a06c6866d2a4e1454e1a6

SHA1
2978355a96f62ece8d390a38f66145a046ab8a82

SHA256
9e97ec07d09c69b695df7b2c5bb756479f0072db1115055993a18b156de5f860

SHA512
a58a01b15199f7652cb17fad11c4e10578c37533cfcf5c0f28957a93b04d4914c087275a0a608b96a4d9d766a4225e78805e3449cce873fa17c299d4560e75cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2243206cb8d40c59a33ad0b1e94eab9d

SHA1
8159c4a4dffec13423cad5b74e1cc5ba8a50723f

SHA256
65432439c8091f873bace0fa87dca24bf1889551cd56a072b494b1ad0f2c184c

SHA512
c82009491b5c514e86d07108917ee0788cabda6eb28bb13d84650af4e22545c961efadd9a5c4faf971b5909ecf5c21f1a306ea5c4e2545484166aa62329c5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43ffdb87102645f9a3f749ba1edfba1a

SHA1
c44dc360083fdf4ea447b1e2e1eeee91e9b833d0

SHA256
ca9a1c577cf68230d38e2e0bb8014fb7f61b6d92f361088c3aae51d79483c724

SHA512
6fae53dd65a6e5a7feeb4d95faab2a8ae537ec54dceff078c3c22cbb67a681322fac6a6ff62e934986240dcb96eeb869e02647e995ef6fa30b4b5cc795ca6fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c2c5cdf49427dd946771638fd609dbf6

SHA1
9b389be44d5f0c2a23314b520ef8f377f679c02b

SHA256
51575e61b3bc44b20bd1f525fb6e5483348c848698f05eecdb47188a8961d671

SHA512
fcb2c8d41c1868ce6d9093a78b44b15cf449e70685d1896967b23d703d6ad64e0dedde5ab9892200f56a8ca221122378cc980a602e5e69adf7b5663a7944ed02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3111eb8577d3728718e265fcc4d6aa60

SHA1
0d381c81121bb8ba605862d4935ad6490eee54f5

SHA256
b2925142c8a644ca51a07ca0f1d9e172d01793dd928a3ce292d6957b98a0e41e

SHA512
d8607c81167045670de7014cf65d6125df78b9785d02d753d895c9f13ecbb5cc491c94bdaf3002308e6fc0cdef8e1f7f3305a92fdff2d4a3dcfc5227eb9f5792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cad5cf6e65511a1d02c6a45fe3d9f434

SHA1
00845b6d1a5e523224390c1fc82bfc91c90ad695

SHA256
ab016ff1538c83bf51746c929d9fc4d5bbda8f34299922f16a24478de6934077

SHA512
770fc5d49ef9fb4986a2d4f85a499e9e29387c6f6308e0ce35d2fa1ab3158567dfe5ca6d22acbccfb59ad3625bab6b38325b93868b58431348d5e7bca8568929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c4514a7c47661781ff2f2fdf0f8c29ca

SHA1
0292f68f4b19f3f7c0e217457c4971b15cfe3694

SHA256
2c9f9b2986e5025e46dc6115dc7203f0cf7f631a1dc3ebce6c864e5f751788b6

SHA512
96f6c22e4b43bdbe0f2fc40188f6830f7ce13cdc08bd436ad8c8d04b348e9f01cd11b5ef1d5707b20e5d7076120ce267fb2c7269f85f3731886cd412d484a535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54774f6d7755832d4b40702979ee235d

SHA1
c06798d00c3559ad4e843e41508433247e60f60d

SHA256
c9d8c5a2e8574de140c987d4af4ca1ec3746716729e600906b6e6119c8cf014f

SHA512
be28c96b1c6c9c4f943368350bf52803b4aa083525049893447fc8e93e34a647386e26ae591132d132ad4eef56e7cc3847816c8261fef214cdbab4287f951b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6940e3948adfbd698a66b5cfd1950be2

SHA1
6a82f130fb934143df15a27be710532bfb68b6aa

SHA256
ff08af3b8591da87d4cd4fa4cb1313d6fc7ce030db9ca4e818336dfcd3eb34d5

SHA512
2251e235552ed5bfd7b3c931e60ee44e33df5322a7e65fc0b542ca9132595fc93a24bffff58c4877f2ec465d1cb25a1594a620487bc10cc08b86f9e76a6444be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bb3e7a99af0ae4de1651585ad52da43e

SHA1
d4520bf86f749ca90510c8445167897a35275197

SHA256
1e75eabadebc41792744c6a501bb3ca24731edc606e7d39ce4c7fbc22a951b73

SHA512
852fb887c8638e13dc01f180cd22a6db45a64cf1abd4c46f15f2181886f24870bc8498e0af4c0790d08c9b1c10c4d6f3f7b8941fa641b5e291be1b82e33cf10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a0e6ac13422c3ef7dec5f5dc5ea51fad

SHA1
15c8a86042b4f117b0d10f9950df46a7882d25e7

SHA256
8e56dde0ed2f24d5bab362ff3e1d069740336578a4d41ed48c7acace766b9305

SHA512
d25972b1902b317384a726e326246cd5824be9dd02917f15ae6ba4e1ce07b1c79ebad4b13d1f8c562f33fed380ba9df8550a7a177f09d6ebc584f50b96a867f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
881428479db22809965898c7f19e53ca

SHA1
e82b09a3c9bc8b96db55b00cfe20f4a987039945

SHA256
6e29305217b03d8c0866579dc54c7fac24aabbe64df41f01dcae8b3e32c04eeb

SHA512
a4a6024e2cbe85acc0525fdc39749751a4a1a3e054306d4ee3dd7c6cba4935ece685c0953c96205a5fc79597aec50282aa1be71772ac8219a6620aec3e9d99ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
25cc4e0c9c38da54d78a320990ff48b2

SHA1
9a0b9f25be0892f9565cecca1fb51c7a289881ce

SHA256
24d499692e6f9ae1ba0f09d5194a932f743af0566c40b54ec44cb59062728225

SHA512
74bb1d6f6697be2d4f87eabbf54ea2dcc5529e4cbd71261477eecf065c4a6e8a172a92a0e0ee0d81bb2159b2a7e423f1084c93a325420b2514904f374baad24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be32b5ade9cbcca11ff06501b018a5f4

SHA1
86c3b5aeaac992a665c2317cea451e057e67e237

SHA256
7d16ea5478430eb96de43f87db6863bf713f268bd4c973344c9813d6ec4c262e

SHA512
a3511d4e9e0c0dc101a71c7660a30b61ba0a7be2d980ee40e57627d0e8bc8ec7167f60ae117aafce7e974142528e0f249873f64530028b2f2be9ef75e8bf41d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
70cd4e11611385e939b87a0cb2321820

SHA1
69b8412fe05e42d48e90af7f1c9fec00ce7c2138

SHA256
99a4ab4e5f2dab9ccf2f969a5c230fe3657ab7f5f79cc4c53c0785b1009d7146

SHA512
b2aa510cf3924ca35af3fbe227c029fe79f326debdd01ec1f8dc87f2c63c1e05188ba53e3c9af1f0a2b53ffb23065ba0a13b32c47b01730d24e87eb48d265604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04e184321263cd21656c8242d27d5dc7

SHA1
ddd6f80dd998470a3bd9141c0b0db505c963c9eb

SHA256
f8ed56f7ced2b13bb43c192e1759a7188f4855554c601b5093c56d7517d9fe21

SHA512
39c010135662c35a69e7db68bbf401fbac97b072f56ae12d70f65ba1663a928c98c2de939966344c9362d82883e6a4581cfa6219d69de694fbf50ce6b0f3f245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ecb16ba1d811e6ab0919c4324fb2a046

SHA1
4299e248e1e47d54d94532a072ddfe7d445a3606

SHA256
9b7049c6c5c294cd6bb97c0ad9af1b9144aeb1ea70462e42ccc6453c68777526

SHA512
7f687ce8164401d5e219006f2388c3c7dee30c92e205c52ea00bcec3968e098da2fcf2cd635f2338efcd3fca431717ff1cf1592650598be7197a61d92f5e0bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2df849eb4a775292289b63a8943853f3

SHA1
13279e842084ee9a271dc6f45948d612b60d6afe

SHA256
fe71cd1914aea0949387212bff867441449cae18ed6c66bd196678328627789f

SHA512
4cc46488f2ccf536d7fe7af09e80bf99b135e8de9ab761c0fb8f13e2a6c5ec6bfc57b5ea5bca4649c9cf599d167cdf59c93a39a293c7ce1b531be241646d43f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98bd9d4238a727d8debba4fabcc9301c

SHA1
b4962dcf54908700bec33a6f3285d3a6854687ff

SHA256
32c8ed6492641161ebc8699f1eaa79917f05956ea958ed4780dd8dd04b0053d2

SHA512
0916131a97cff70a6fa3ebc4c1efc0123f46b047c1a8452406767be4f547f4e4f4e252a3fa88a72a05286c1ac45415dc47493d9ae8b5c2ff2cfd4591c1b02b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a576967e3dd45eedd5a755053379831

SHA1
72cfe376b77107ab89eb2dd78c9244d449b0eac7

SHA256
3a53abb6bc8cac0f38f7d6cd604a7422c4407225a2f066a9d11ea83b9653974a

SHA512
385d0bdfff21856044d155b2ad3015446ebd917cc66daf442aee7df261348f7d23c966814585578e44ad7e4b14beb6677bd225aeb9c5144804b25cdd081a7c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51e69fb7751d4627e534b8d29ee32eb9

SHA1
fb0ff0c97566393c7cba58ef3a30173f5a43496b

SHA256
f2f8d8e5117bed89ad5462490b240f724668349850bfb38f14b6f712e401e887

SHA512
472efc58b765e89ef0ad1a8f57acea2b4912aea08f338a311a593b87d538189e1fd2f56f454cfd927f51a34a5cb50b657700722ed428289336934bc9f74eed38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9be0b0babd1cea366880b23047e583b6

SHA1
31f4a40f5763e3a8d56b7cea5e55182c3ccf4b63

SHA256
96317efb40c7636ca1203bfa6a4abf4c2dbbc75fb676c73d18a0c31fe53c4b57

SHA512
cda199f6a5f2e353e971e1967646df9e9e3617e1758a519f5255af854f58c7e740f4222c744087505b268b9a75c32a5383330f7a301c067015c7c091ff95ab33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98ed03afb47db233d90510cda895af12

SHA1
ae6895e7122b75ea7933ea2eeb877d86bd11f32a

SHA256
378e4f12d6a69ebfd8b25d3b3f43cabd28a32287371f1e2971ee5eec18a23e69

SHA512
5eb6ac3bccb1cb3f18c8c86d46d9836a7122f2d109a0b6b785a797849aa94d7a1d928ed00370f056db889938ac06f1f656d0abe66d6c21fd6576df920895117e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
91fdbb41e0d4e30b42a3f58845362621

SHA1
5bc676440b879a5afa24abe074987b5702af2f02

SHA256
a618e4916f8545acc025ef32700f61fcbfe36a18ccb73dde9d0de53bd55ed078

SHA512
1622d779fd84febbec3855919cdffe4bb86d00c4cffacab03a25396e6653bdc59a571fbdf0e7b31d818e41d5113600f6328365e355479fa7a50ab0354c029d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4df7b4b0741b371780c7b2184b5912a2

SHA1
86eee14163adcf2492d83efe0a457952e172e7b9

SHA256
46b28fa96fc846328f4d149d9379fd3762ebd8d4ea78a6b5b14bc33ebc569668

SHA512
09d72e9f97f3f0b02b663134cf17309e8cabcdcfb57bb0a4bb8ab59f8b670230fde91478da7a47e21fc04ab5a20afafdeb39f4d1d71a8413be3670477bd05668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4eb88c7570b35e06abf591e6d883be41

SHA1
aa8b66749d9e1bf63ac7709e70a9eed8cad5e466

SHA256
b26d086d5f83cf53a51737140194909be313f1a0aed0230e879477a354b342e7

SHA512
05fc57bfde6ca5a96d954414e09d0114bfcafecf0246b497ceeaa9200c00013bddcdcaf8905aff5a8d5179bcf99f3281b253a202c09b82aa0c02e2fa477dd3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bc7fa3d82d3193a835de129731249825

SHA1
00467b0b57296afa861fe1eab987de4069895649

SHA256
6e8f6f5541621a19df61fa3921a9442c2a50b410e9cee23c48f551e6dc88dd5f

SHA512
48c5c7286b566e56ac0b326c311c63c17fe5698d4bab12feca97c99b4a48a60404ed1ac2e8c276f002135e1e788e5906c425ad07156e70ca7d6d63b730a90f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07f7e7dedffbe9bad558aee371fe4d48

SHA1
7eb462e08e23fee0c1e5338c71f0cb780f0f31e4

SHA256
cfbaa664325c6fb3afe5036b5589c983aa7f106519ef30f4bf8101298974097f

SHA512
34234c9498ad18feee1366e9a159382fbb1945cf104d27ae74c96e172b3d114f9a28588c95f043e71d027333b619bc59030dff5e7aa924e6789734e69856ef60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2b46b34d5cd963c997703a06e1cec95

SHA1
d57566d1036d78cc15622aee835c6c4dd37f89bc

SHA256
dfbeb58b7b49afc3933c711e0b71dcce1a5484f49c08cbb623a4214257d84713

SHA512
350f582a7c20624e2e37753e2d083bd231622771fbdc18acaf0e13e0898cb6fbaf2a39b5cda0d1bc96cdedc832849ea2e1e95840731b1c9f65dd0295f1f49990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59dafb18401409082881ac89a255c27a

SHA1
2e9dd1ab38888b0b1eb56914dfbde028f223c48d

SHA256
5feec454b2f28c51e8b25bea971b11cf0a202eb102683e591322365c50bcc722

SHA512
f537ab98fd32a9f736ac55559d48900a6243015c51d8a081a4867d9485abcfe76e99e93acb739023c6a55488e6248f20d731fb3bc90b2b01af68495c2299c7b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
423a05d4c29b0ad74d6e2f0f1d84372a

SHA1
46f123fea3d51b71d037232ae634a89e8703035c

SHA256
4799dfb916bd4e0c7f05beb4aea717d38c306d41434291fceea8f2e5acbf01cf

SHA512
7e9c6b317f81514a2e96498640062e8bea4430d60d5beb1f19d08b581d7aa2981805792fed3931944e367c410c10f22cd1c4ab293d062a16fbe321f209a98322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b7654c59c63a2b0dea65ba9cc758b9b

SHA1
38f595f6faee057ecb1f10f188a8bdd881fea0fd

SHA256
972cbc33cab39dcddc68b1045ce8c104a4d1c7c4103f59808f6d2b623c46147e

SHA512
9258cca7965dccc91b8dc2638900a0d56cff6eda6b873c77b60332ad06fb218ccdeb08aaa749e1b44c896e9a3ea05411bc6e0efdc0f95165df28497ed610563a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
435365a14cc1195f92247fc1aedaa29f

SHA1
38befcf5eecedf2bf1fb7ab579a92fcd40e74d5d

SHA256
4d33811ad08514bcbec4b31ac7ac8fd67b040ec8d6381aac0ef710d72265e0b3

SHA512
9334f28f04bbe393836913f9f8309d2458bd74bde7f509f461bd47975feec8f40c6f70cb5bef4d0c22e99ea0a22e602909df7012297a5d1e656ecb512a86caaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2cda988b7400fc9d874785f56e09612

SHA1
ff247860ed7943ef2ce46fc4308af630a864914b

SHA256
537e304add4179d4f57b651ca06f83b7f85a9c01732887a4414cd1ce0f8ad6fe

SHA512
7373693e9b1e10d47e213013a0a9d071463c4005e791b2763643aba8f5fcae39cb2e131b19453e513472de637c125ae577ffa24a1ea19ec70fe906595cdabbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0556afe74946e0ee644dec0d70f97a63

SHA1
37b85737f7fac1759078503dd8365b3e60a581b5

SHA256
966a9598678b1354acb37ab034341475ac08a6766dd2bc176a4b2af987f68921

SHA512
297c7268b059559bb9d94af4a5f7a4eaa00f3fdb68e3cddf6e4d08d84ef71de288b8fb6fa19b7cc051fb27a4ecc407284f9280a907d86e736f7b2b210936eb20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64425f6daf9735e25290502e435bcb55

SHA1
d4c53a52e30b001860919c12f2ee4aafa403e724

SHA256
ae024a399e2be8fc8fee0684bb005e719dac85745d8afd0c12a5eb9a1e37416b

SHA512
38fbbf69043ee7875af6c3b9af0fd3a33aab038bfc724d59b9117e021084bd460ffe235491548a204f2d780fe53c7d20ab7951ecb147a4ddfd1b1506653936a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5099408654f464263e30ce61e97814fa

SHA1
1befca1fdb9300ccf8ce4faf175eb458cbdfe8fc

SHA256
bce26e6ccd3af2d5c62adb47034083b27fb29ce987816ecab91218481efd41c1

SHA512
c640fd847eed6dd3f53f1fc7118ced5a2f1d2c1f3d2b45923015f6bf5e5aa509f6356945ed3a05bc57b8ba3429ec06ec213f988970c2ca2b86defaacdadd66da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58395b.TMP

Filesize
536B

MD5
229338fcb83ee149ae80ea694f369ada

SHA1
922e768c0ad570381501f2bcb9055e7c97b346d9

SHA256
d8b8b614adf6d514d4e4659cdba927e0a0f5dc45d10a2b6c5d2562afb47ae754

SHA512
6658e42ccd356f39490d0e82c500ba4c1ecfb1faa8a2be2ff3cfb45ad3f0dd5d99cca8344c508bfbce544bf3a4c2fdc45603983e25a3cd4200c727bfd3bff031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\fa647b87-7836-429e-b813-4b500ced9ce8\2

Filesize
14.6MB

MD5
b84989cb1306c90866d88d17fbfa79a7

SHA1
48feb35074b306af70fad1999421ce9b8a2f27b8

SHA256
97383d0f0f823e496612a90c5f4ad2841db18b08f922064687f8caffed334046

SHA512
ec6fcf7cf32dd94e6ab72aec1c3b961fceb3de29ae2540172d9ec252f097a3d8801bec7b4a399bf3e8fed70ed939db0215c6354d26ffe2baebe522695c1d22d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ffb0bbbd-7b46-48d7-be9e-749058891e3c.tmp

Filesize
1KB

MD5
2cbf32d4d811f11374f5cd7c9cddd085

SHA1
329727446413a9d281d3df9950c1cac00df553ff

SHA256
3876be38c8d694fc86e2bed9bef463eff6c24a33cb63189afb2ec9ee2b74f6d2

SHA512
f05762de855a30062ad132c5753ca38c94dd3136a0971f64a2f4329c7bf19a5a1108a36f0da14abdad2a82143dfd081dbcbeab543fae2695221369cc79f0661e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb66ae153b29da72558506fa6590aaac

SHA1
4d0373da54360fa80a41a7d7e0d3fe8a0664ee76

SHA256
2c0f08313ffbbb66d467aeaa31ff44b685898722253a775dc502938d5e89f0b9

SHA512
c00cb7f25a2ac3a0e2e19e0fa13d89391cb2e6dfb5a74584778c23f4600987e4f9770994a0c5b7ccec061bfd0bb3190d6534052b3ef7a5092be4f7d8e61af94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
acb83f22bc7642c777e9edb31c25d51a

SHA1
f2ba954c2bf2a9a2bad9e3b426ac39ef742c1f02

SHA256
e55d297c5a0647b2a9727960ededd565b58ef3ee5839e0f410e0945c0a6cd671

SHA512
364adfc9dec7ab8f267cc29d3a6610c88b7e1aa9b61b95a804adbfb056b379bb77b5d8b62ee1906090db4c0be09750a440d55bd41e3800345c607bbccdc9cf31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
351b18497380f34d8698dfc4a9d69a64

SHA1
00ab371e551919c24c7bb0d48a81f34c9a314391

SHA256
659e8f5cdff24767b091e46d7bb61b255d789c3b6af8c4649a6a837ec5b74322

SHA512
fd716a139bfcef6c997b6c2da70273b005922a0fc6f73668a5823005fd66ee562301e59d8d1bf2162af007fe500166c227a11c12ef20289e4f284c9330924c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd52cf9ad8f27901f5850d67388fdb05

SHA1
a6a7e5a457fe3bb14eff9c54231352ac5df451a8

SHA256
66def47b897dc08044d4011ede1588c340af7ab2ede62a798a807af399c239ea

SHA512
fdb224b7e35bb968ee7c5b889ee924c83f80e6903aed37a9880e6c824788a29bc8a29eac17d4bded8595db63bb0b466f796b111c2da5e5f14adc9003bbe4c668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6554353d4fa775dcc8433e919e77b74f

SHA1
f75ec566980c182e225b591af82a4ddbdde0ac24

SHA256
541a542ff163e7f744c326827f3e764e3aa23540879aafc333c1d2132e89a257

SHA512
99ea4208700f5c992d0b55675eab3930b6a5af6ccf7019b6e4f38ecf468a26ccb3cc42fdb6043ac6339db7f1443d5993ec332a8915e0338c730431b508b2eeaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b94723631d1996da7bfdf66cf7aa6ef

SHA1
18ef16dec128605811c893bac49ae9e2cdd25e94

SHA256
26225139d348f48cb0baf97a5b1a5f7c968560aa556e830c3d9017f6b320f998

SHA512
eb6c6b582bb3483f4091d72abcc30a7ec286e991b38425061c9653f468ada20e8cb4d7b9608ff9dc2600b2c1c39f776576037549fef9205388bec11912e58446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc0f1f675f666068043535b27dfc8f0e

SHA1
3974cfe9d5968c378db6a680895fe70cd5fafcc1

SHA256
d52c21d97fd00ff89b1012faa20ade43eb415112336f02c1802c9534b8c5aaac

SHA512
2b6c0b13bf7909d5ee327b0b38ce4d14611aca8ac239943c01fd20d71f0ab19179e6f13dfaac6352a540f8fdb93aa053b3b6f79ebdd9d8fd7e6a3305949de500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb14c22197b3cd50171301347b9b5b0b

SHA1
88158be17214fded2a3a6c1fd0c21dc391a27e9e

SHA256
bb0e604963bf40a5cb6b6df20ca8ea743c56724c3633641fc580b407fe0eef3a

SHA512
16b52e561d6f37648382ebbad20f36ab7bd8050386e3fd97a0eb23a248b10ba8fc31b5495af1adec57e9495dce828f69bc9bb9fe52c252133185c3ce395641d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ea9aa5843846ebfa6942d007361fc67

SHA1
1696ca198e9b3f10f5e8832b96d73d333117837d

SHA256
4556c65b8439fa8642a87b2f29e8a9b9f039dff6b8f48986a4a89e067d076437

SHA512
7c77fabcf923721c29c4d4820519ac9e2d47a12434fd8dba54d8842c67e59862357fc37ae0b21288f1accb15bdb98a622dcd61216b00b812b9bf2562e80134f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f0eb1743c869988de96a12d689bcdce4

SHA1
12b712d90f7a658e9c2bfeaac7679859906e6f64

SHA256
17cd24415fba0a44b4794e8823af41a1d3df052ec2beb8d4f487e95cbdbc5da9

SHA512
5b69e91e90b8db96d0d3861f03df0c061665cfa01440c511cee1b3f74496442604a804a759532da3860d740ac0eb9caf19150e2e2ca18c8c55adadb45fdbe2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c86f3a6dfb26173da94d1e81110ac37

SHA1
855e4cf5b82c5c0d5beb4a1eeb913433dd080152

SHA256
72e05e57eb7ee72e19ee69ce098a29b6118a2218de2c4df3f3b96397d3c39dab

SHA512
0ee9fa5db16b466d0d0d5f92a2b9f883fc2d9bdd3bfb024aad767a6406ee407c61fe8c8a873f9751b5ef2948a9e2d9d06759a6b345d302de3d4f0f3618f89507

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC978.tmp

Filesize
1KB

MD5
f936f130077e25263e7bccd7e63d8db0

SHA1
e2860e5866c325d9730da605f512d8f75f86b5f2

SHA256
d4b8a8643941922909aba17d79bd08085a0cb07f264a534abe7b9eb5a82d4646

SHA512
3e5b0a0b6141744779beb4bf46304f96d12858588d9d97ae4d4d3f93e2200ecc43c5cb8e023953bf0d257889f78278304b384379facd78ae2eea2de160f5a85f

Download Submit
C:\Users\Admin\AppData\Roaming\jFvfxe.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
C:\Users\Admin\Downloads\HorrorKrabs 2.0 Source Code.7z.001

Filesize
24.0MB

MD5
4e0e71cd12d7e640b917d2bde7b7d481

SHA1
3b960472c40df746d3b48ef6ac44dd3fc50c0302

SHA256
7790d961c020586d8f4bdb90157dc0d65e3888daebf21d7c72cfe42f3f5bace5

SHA512
9ecb4597c773ecbdc142d3d872baeb779a49ce65ad6f7217ac634d9bb0d2b736aed518d8896902636f22db48f0ce936c87294b92400636f07b82d9d1024f9d46

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 263632.crdownload

Filesize
3KB

MD5
6f5767ec5a9cc6f7d195dde3c3939120

SHA1
4605a2d0aae8fa5ec0b72973bea928762cc6d002

SHA256
59fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae

SHA512
c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 282176.crdownload

Filesize
125KB

MD5
ea534626d73f9eb0e134de9885054892

SHA1
ab03e674b407aecf29c907b39717dec004843b13

SHA256
322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c

SHA512
c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 780899.crdownload

Filesize
5.0MB

MD5
c52f20a854efb013a0a1248fd84aaa95

SHA1
8a2cfe220eebde096c17266f1ba597a1065211ab

SHA256
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30

SHA512
07b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 79563.crdownload

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 882495.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
\??\pipe\LOCAL\crashpad_3000_LUGFONSGDSBAHVYK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-1595-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1884-695-0x000000001D3A0000-0x000000001D8AE000-memory.dmp

Filesize
5.1MB

Download
memory/1884-620-0x000000001C080000-0x000000001C54E000-memory.dmp

Filesize
4.8MB

Download
memory/1884-696-0x000000001D950000-0x000000001D9EC000-memory.dmp

Filesize
624KB

Download
memory/1884-697-0x000000001B470000-0x000000001B478000-memory.dmp

Filesize
32KB

Download
memory/2124-1445-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2124-1443-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2232-949-0x0000000000D00000-0x0000000000D2E000-memory.dmp

Filesize
184KB

Download
memory/2232-1224-0x00000000225C0000-0x0000000022D66000-memory.dmp

Filesize
7.6MB

Download
memory/2236-1069-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2236-1070-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2388-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2388-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2388-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2472-1056-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/2472-1057-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/2632-618-0x000000001BE40000-0x000000001C26E000-memory.dmp

Filesize
4.2MB

Download
memory/3472-8-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3472-7-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4492-1472-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4640-1061-0x0000000005A90000-0x0000000005AB8000-memory.dmp

Filesize
160KB

Download
memory/4640-1054-0x0000000000910000-0x0000000000966000-memory.dmp

Filesize
344KB

Download
memory/4640-1060-0x0000000006110000-0x00000000061AC000-memory.dmp

Filesize
624KB

Download
memory/4640-1059-0x00000000056E0000-0x00000000056E8000-memory.dmp

Filesize
32KB

Download
memory/4840-1446-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download